We have just released signature update 4.36 for users of the new Trustwave Web Application Firewall (WAF) version 7.0.
These new rules help protect users' web applications against malicious traffic targeting the vulnerabilities listed below.
Drupal Core SQL Injection (CVE-2014-3704)
A vulnerability in Drupal core 7.x versions prior to 7.32 allows an attacker to send specially crafted requests resulting in arbitrary SQL execution that can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.
Encrypted Communications Could Not Be Inspected
Trustwave Web Application Firewall was updated to allow users to more easily identify when a configuration with unsupported encryption methods is in use.
Wordpress Symposium Unauthenticated File Upload (CVE-2014-10021)
The Wordpress Symposium plugin allows users to upload different types of files. The restrictions on file types that the user can upload only applies to one upload location (file_upload_form.php). This can allow an unauthenticated attacker to upload malicious files.
How to Update
No action is required of customers that run version 7.0 of Trustwave WAF and subscribe to the online update feature. Their deployments will receive the update automatically.
PLEASE NOTE: Even if blocking actions are defined for a protected site, simulation mode for this rule is ON by default so that site managers can inspect the impact of new rules before actually blocking relevant traffic. If you would like to activate blocking actions for this rule, you need to update the Actions for this signature in the Policy Manager.