[Snort-sigs] sid 1184

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Thu Mar 14 19:30:09 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC Netscape Enterprise
Server directory view"; flags:A+; uricontent:"?wp-ver-info"; nocase;
reference:bugtraq,1063; classtype:attempted-recon; sid:1184; rev:2;)
Netscape Enterprise Server 3.x is shipped with an insecure directory indexing
feature, enabled by default. This feature can be utilized by simply appending
commands to the end of the URL.
This vulnerability can be used to fingerprint your webservers, and give the
attacker access to information stored on your webserver. In extreme cases, (such
as a server run in a non-chrooted environment), the attacker could gain access to
more sensitive system files, which could lead to machine or network compromise.
Detailed Information:
The attacker can browse your webserver directory structure, by attaching one of
many commands to the end of a standard URL.

ex. http://www.target.server/?wp-cs-dump

Additional commands include the following, each accomplishing the same as the


Attack Scenarios:
An 'exploit' to scan for this vulnerability, exists in the 'wild'. While this
exploit only scans a single host. it could be scripted into a large scanning
suite. The attacker might run this scan unattended, and single out networks for
attack at a later date. The information gathered might make one server more
attractive than another.
Ease of Attack:
False Positives:

False Negatives:

Corrective Action:
Disable this feature in the server configuration.
Christopher Lubrecht - chris_lubrecht at ...382...
Additional References:
bugtraq 1063



Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.

More information about the Snort-sigs mailing list