[Snort-sigs] Snortdb (Rule: WEB-IIS .asp$data access)

Mathieu Dessus mdessus at ...324...
Sat Jan 26 16:49:02 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:   WEB-IIS .asp$data access


--
Sid: 975

--
Summary: Attempt to access the source of a asp (or other scripting
language) hosted on an IIS web server using Windows alternate data
streams.

--
Impact: An attacker may have access to the source of scripted
applications of your webserver.

--
Detailed Information: On an NTFS file system, a file may have multiple
data streams. By requesting an access to a file, but specifiyng the data
stream on IIS 3, 4 or some other windows-based web server, the server
will return the data of the file instead of processing this data. 
It may be possible to access to sensitive information, like internal
address, passwords...

--
Attack Scenarios: An attacker adds "::$DATA" at the end of an asp or
other script url. 

--
Ease of Attack: Very easy: you just have to paste "::$DATA" to the end
of an URL.

--
False Positives:

--
False Negatives:

--
Corrective Action: Apply Microsoft patch.

--
Contributors:

-- 
Additional References: 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;q188806



PS: This is bugtraq number 149, not 140 !



-- 
Linux, c'est free mais c'est pas grave !




More information about the Snort-sigs mailing list