[Snort-sigs] snort sig db WEB-MISC http directory traversal

Drew Fahey dfahey at ...396...
Fri Mar 1 12:14:06 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 
 
Rule:  
WEB-MISC http directory traversal
--
Sid:
 
--
Summary:
A directory traversal has been attempted.  
--
Impact:
This indicates someone is trying to recursively access all of the
directories on a server through a vulnerable web server daemon or CGI
script.   
--
Detailed Information:
Web servers that are vulnerable to the directory traversal attack allow
the attack to happen because they do not properly check user input.  For
example a user could add a '..' to the directory path which would allow
access to the parent directory.  This could be used to climb the
directory tree to the root directory and then filter down through the
rest of the directories.  This signature is normally associated with a
specific vulnerability but can be caused by several possible exploits. 
--
Attack Scenarios:
The most common attack scenario for this signature is to issue a GET
request like this:
GET /cgi-bin/stats.pl?/files/../../../etc/passwd HTTP/1.0.
--
Ease of Attack:
A very easy attack to accomplish, however requires a vulnerable web
server and/or vulnerable CGI script
--
False Positives:
 
--
False Negatives:
 
--
Corrective Action:
Patch/Upgrade your web server. Fixes have been out for some time.  Check
your CGI scripts, and don't allow invalid inut.
 
Contributors:
 
-- 
Additional References:
ArachNIDS 297
CVE-1999-0842, CVE-1999-0887, CVE-2000-0436, CAN-2000-0443
Bugtraq 620, 689, 699, 743, 746, 772, 773, 827, 896, 921, 950, 968, 989,
1067, 1102, 1103, 1144, 1164, 1169, 1231, 1243, 1278, 1344, 1455, 1462,
1471, 1508, 1537  
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020301/f230b9f6/attachment.html>


More information about the Snort-sigs mailing list