alert http any any -> $HOME_NET any (msg:"ET EXPLOIT ownCloud Information Disclosure Attempt (CVE-2023-49103)"; flow:established,to_server; flowbits:set,ET.CVE-2023-49103.request; http.uri; content:"/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php"; fast_pattern; reference:url,www.labs.greynoise.io//grimoire/2023-11-29-owncloud-redux/; reference:url,owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/; reference:cve,2023-49103; reference:url,www.rapid7.com/blog/post/2023/12/01/etr-cve-2023-49103-critical-information-disclosure-in-owncloud-graph-api/; classtype:attempted-recon; sid:2049614; rev:2; metadata:attack_target Server, created_at 2023_12_07, cve CVE_2023_49103, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_06_23, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)