[Snort-sigs] SID new .phps PHP-source access

Busch, Andreas Andreas.Busch at ...300...
Wed Jan 23 05:45:09 EST 2002


> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work. 
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> # 
> # $Id$
> #
> # 
> 
> Rule:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC .phps
PHP-source access"; uricontent:".phps"; nocase; flags:a+;
classtype:web-application-activity; sid:new; rev:1;) 

> --
> Sid:
new

> --
> Summary:
> Someone tried to access the source-code of PHP pages on your webserver.
> 
> --
> Impact:
> An attacker might be able to look inside your PHP-pages source-code which
> may content
critical informations on e.g. database-names, users, passwords, your
filesystem structures,
software-versions or code-vulnerabilities.

> --
> Detailed Information:
The PHP-Language enables you to provide dynamic webpages. An internal
feature of PHP
is to serve the source-content of PHP pages without preprocessing.
PHP-sourcecode has it's own file suffix .phps which is especially declared
in your webservers
configuration. Anyway it is not possible to access .phps pages as long as
they don't exist or
they're linke to their according .php pages.

> --
> Attack Scenarios:
> An attacker sends a HTTP-Request like:
> http://your.site/index.phps
> http://your.site/someapp/config.phps
> 
> --
> Ease of Attack:
> Fairly simple hand-crafting of URLs by the attacker. 
> 
> --
> False Positives:
You're providing PHP-Sourcecode pages for others to see how they work.

> --
> False Negatives:
> 
> --
> Corrective Action:
Check if the content of your .phps files really is unconfidential,
additionally check for links
which point .phps file to .php/.phtml/.php3/.php4 files.
.phps access should be denied inside your webserver configuration, unless
you really want
to provide access to your webpages source-code.

> --
> Contributors:
> 
> -- 
> Additional References:
> 




More information about the Snort-sigs mailing list