[Snort-sigs] WEB-MISC iPlanet ../../ DOS attempt

Khan khan at ...270...
Tue Jan 22 12:45:04 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC iPlanet ../../ DOS attempt"; content:"GET "; offset:0; depth:4; uricontent:"/../../../../../../../../../../../"; flags:A+; classtype:web-application-attack; sid:1049; rev:2;)

--
Sid: 1049

--
Summary: A denial of service vulnerability exists in iPlanet Enterprise Server 4.1 that allows for a remote attacker to send a HTTP GET request with "/../../../../../../../../../../../" that causes the server to hang.

--
Impact:  Users will not be able to access the Web server.

--
Detailed Information:  A remote malicious user can cause a Denial of Service on a server running iPlanet Enterprise Server 4.1 or below.  The user attacks the server by sending a malformed URL that causes the server to hang.

--
Attack Scenarios:  An attacker will send the malformed URL request to the server in an attempt to deny Web access to that server.

--
Ease of Attack: The attacker simply sends a URL request with "/../../../../../../../../../../../".

--
False Positives: None known.

--
False Negatives: None known.

--
Corrective Action: Upgrade to iPlanet Web Server version 4.1 Service Pack 8 or later.

--
Contributors: Andy Boncek <khan at ...270...>

-- 
Additional References:

The Register: http://www.theregister.co.uk/content/55/23609.html

Iplanet: http://www.iplanet.com/products/iplanet_web_enterprise/iwsalert5.11.html

CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0252

BugTraq: http://www.securityfocus.com/bid/2282

BugTraq: http://www.securityfocus.com/archive/1/157641






More information about the Snort-sigs mailing list