Trustwave Web Application Firewall Signature Update 4.49 Now Available

We have now released CorSigs version 4.49 for Trustwave Web Application Firewall (WAF) versions 7.5, 7.6 and 8.0. The purpose of these rules is to detect attack sequences or classes of attacks on web applications and their components.

Release Summary

  • HTTPoxy Proxy Injection (CVE-2016-5387)

HTTPoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments.

Since most web servers currently run in CGI or CGI-like environments, this vulnerability has major implications for the web.

An attacker could manipulate the web server targeted to send HTTP requests to a chosen destination and even act as a proxy for all the web server's outgoing HTTP requests.

This vulnerability has caused many websites globally to be vulnerable to Denial of Service attacks and data theft.

  • SEMrushBot

SEMrushBot is search bot software that is sent out to discover and collect new and updated data about websites.

Search bots (also called web crawlers or bots) are automatic programs that explore sites and may perform unwanted actions. These include stealing intellectual property, collecting other information, wasting bandwidth and increasing server load.

Data collected by SEMrushBot is used in AdSense (Display Advertising) reports, the public backlink search engine index maintained as a dedicated tool called "SEMrush backlinks", as well as the Site Audit tool that analyzes on-page SEO, technical and usability issues.

By using this rule you can prevent SEMrushBot from scanning your website.

  • IIS RCE in Windows Server 2003 R2 (CVE-2017-7269)

A remote code execution vulnerability was found in Internet Information Services (IIS) in Microsoft Windows Server 2003 R2.

A buffer overflow vulnerability in the WebDAV service in IIS 6.0 allows a remote attacker to execute arbitrary code in a malformed HTTP request.

By using this rule you can prevent this vulnerability when using IIS in Windows Server 2003 R2.

How to Update

No action is required by customers running versions 7.5, 7.6 and 8.0 of Trustwave Web Application Firewall and who subscribe to the online update feature. Their deployments will update automatically.

Note that even if blocking actions are defined for a protected site, Simulation Mode for these rules is ON by default, so that site managers can inspect the impact of new rules before blocking relevant traffic. If you want to activate blocking actions for this rule, you must update the Actions for this signature in the Policy Manager.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.