[Snort-sigs] sid 976

Chris Green cmg at ...26...
Thu Jan 17 11:10:04 EST 2002


(msg:"WEB-IIS .bat? access";flags: A+;
uricontent:".bat?&"; nocase; reference:bugtraq,2023;
reference:cve,CVE-1999-0233;
classtype:web-application-activity;
sid:976; rev:3;)

I think the uricontent should be ".bat?" 

support.microsoft.com/support/kb/articles/Q148/1/88.asp
support.microsoft.com/support/kb/articles/Q155/0/56.asp

This looks like a bug from the NT 3.51 with IIS 1

We probably need a way to indicate how old an vulnerability is so
people that know their network well can disable them.  That said, I
have seen a successful phf attack in the past month so old crap does
pop up now and then.

-- 
Chris Green <cmg at ...26...>
Fame may be fleeting but obscurity is forever.




More information about the Snort-sigs mailing list