alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Apache OFBiz Authentication Bypass Vulnerability (CVE-2023-49070)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/webtools/control/xmlrpc"; startswith; fast_pattern; content:"/?"; distance:0; within:3; content:"USERNAME"; content:"PASSWORD"; content:"requirePasswordChange=Y"; http.request_body; content:"|3c 3f|xml version|3d 22|1.0|22 3f 3e|"; startswith; content:"|3c|methodCall|3e|"; distance:0; within:30; content:"|3c|serializable xmlns|3d 22|http|3a 2f 2f|ws.apache.org/xmlrpc/namespaces/extensions|22 3e|"; distance:0; within:500; reference:url,attackerkb.com/topics/OitLfY28up/cve-2023-49070?referrer=activityFeed; reference:url,www.vicarius.io/vsociety/posts/apache-ofbiz-authentication-bypass-vulnerability-cve-2023-49070-and-cve-2023-51467; reference:cve,2023-49070; classtype:trojan-activity; sid:2050067; rev:2; metadata:affected_product Web_Server_Applications, created_at 2024_01_12, cve CVE_2023_49070, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, reviewed_at 2024_10_03, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)