[Snort-sigs] Documentation rule 884
kbinsfield at ...1551...
Tue Dec 2 13:59:01 EST 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Sid: WEB-CGI formmail access
Summary: A popular perl script (FormMail) by Matt Wright which emails
output of web forms.
Impact: Several vulnerabilities include server access, information
disclosure, spam relaying and mail anonymizing.
Detailed Information: Early versions (1.6 and prior) had several
vulnerabilities (Spam engine, ability to run commands under server id
and set environment variables) and should be upgraded immediately. Newer
versions can still be used by spammers for anonymizing email and
defeating email relay controls.
Affected Systems: All webservers with a working installation of this
Attack Scenarios: Information can be appended to the URL to use your
mail gateway avoiding SMTP relay controls. HTTP header information can
be manipulated to avoid access control methods in script. Allows SMTP
exploits that are normally available only to trusted (local) users such
as Sendmail % hack.
Ease of Attack: Attacks range from trivial to complex scripts.
False Positives: Legitimate use of the script can cause alerts. Verify
packet payload and watch web/mailserver logfiles.
False Negatives: Signature only looks for the script with it's original
Corrective Action: Upgrade and use discretion with script variables.
Contributors: Kevin Binsfield (IDS at ...2047...)
More information about the Snort-sigs