[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] false uricontent on sid 1600 ?
From: rmkml <rmkml () free ! fr>
Date: 2005-08-26 19:52:41
Message-ID: Pine.LNX.4.63.0508262048090.1398 () npre ! npre ! pbz
[Download RAW message or body]
Hi,
look sid 1600 :
web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-CGI htsearch arbitrary configuration file attempt";
flow:to_server,established; uricontent:"/htsearch?-c"; nocase;
reference:cve,2000-0208; classtype:web-application-attack; sid:1600;
rev:6;)
Found snort msg on nessus script :
script_id(10385);
script_cve_id("CAN-2000-1191");
script_bugtraq_id(4366);
name["english"] = "ht://Dig's htsearch reveals web server path";
...
desc["english"] = "ht://Dig's htsearch CGI can be
used to reveal the path location of the its configuration files.
This allows attacker to gather sensitive information about the remote
host.
For more information see:
http://www.securiteam.com/exploits/htDig_reveals_web_server_configuration_paths.html
...
foreach dir (cgi_dirs())
{
req = string(dir,
"/htsearch?config=foofighter&restrict=&exclude=&method=and&format=builtin-long&sort=score&words=");
ok also, modify uricontent to "/htsearch?config" ?
modify cve 2000-0208 -> 2000-1191
add ref BID 4366 and nessus 10385 and osvdb 292
Regards
Rmkml
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic