After more exploits were discovered and further research undertaken Idappcom have released the following additional signatures :
8023939 MOVEit Transfer - File Upload (CVE-2023-34362) 8023940 MOVEit Transfer - 'X-siLock-SessVar' SQL Injection (CVE-2023-34362) 8023941 MOVEit Transfer - Trigger Payload - RCE (CVE-2023-34362)
Progress MOVEit Transfer is a web based file transfer solution.
An SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database.
Researchers from Huntress discovered the exploit creates a 'human2.aspx' file within the C:\MOVEitTransfer\wwwroot\directory. This file enforces a static password for access, determined by the 'X-siLock-Comment' HTTP header. If this password is not supplied, the server returns a 404 with no further function.
Request HTTP Header - X-siLock-Comment
Additional HTTP Headers Identified: X-siLock-Step1 X-siLock-Step2 X-siLock-Step3
By creating multiple signatures and traffic files, we are able to detect attempts to exploit the MOVEit Transfer Application.
Idappcom has created signature 8023895 as well as signatures 8023905-8023907 along with their respective traffic files.
If you are concerned that your business may be at risk of this vulnerability, or others, why not try out our Traffic IQ software which can scan your defences and report any issues. Learn more here: https://www.idappcom.co.uk/traffic-iq-professional