[Snort-sigs] Documentation rule 884

Nigel Houghton nigel at ...435...
Tue Dec 2 14:22:00 EST 2003


Thank you for your contribution. I will add it to the store and you should
see it appear in the database after the next scheduled update. (as soon as
I've had time to check the information)

Around 4:59pm Kevin Binsfield said:

KB :# This is a template for submitting snort signature descriptions to
KB :# the snort.org website
KB :#
KB :# Ensure that your descriptions are your own
KB :# and not the work of others.  References in the rules themselves
KB :# should be used for linking to other's work.
KB :#
KB :# If you are unsure of some part of a rule, use that as a commentary
KB :# and someone else perhaps will be able to fix it.
KB :#
KB :# $Id$
KB :#
KB :#
KB :
KB :Rule: 884
KB :
KB :--
KB :Sid: WEB-CGI formmail access
KB :
KB :--
KB :Summary: A popular perl script (FormMail) by Matt Wright which emails
KB :output of web forms.
KB :
KB :--
KB :Impact: Several vulnerabilities include server access, information
KB :disclosure, spam relaying and mail anonymizing.
KB :
KB :--
KB :Detailed Information: Early versions (1.6 and prior) had several
KB :vulnerabilities (Spam engine, ability to run commands under server id
KB :and set environment variables) and should be upgraded immediately. Newer
KB :versions can still be used by spammers for anonymizing email and
KB :defeating email relay controls.
KB :
KB :--
KB :Affected Systems: All webservers with a working installation of this
KB :perl script.
KB :
KB :--
KB :Attack Scenarios: Information can be appended to the URL to use your
KB :mail gateway avoiding SMTP relay controls. HTTP header information can
KB :be manipulated to avoid access control methods in script. Allows SMTP
KB :exploits that are normally available only to trusted (local) users such
KB :as Sendmail % hack.
KB :
KB :--
KB :Ease of Attack: Attacks range from trivial to complex scripts.
KB :
KB :--
KB :False Positives: Legitimate use of the script can cause alerts. Verify
KB :packet payload and watch web/mailserver logfiles.
KB :
KB :--
KB :False Negatives: Signature only looks for the script with it's original
KB :name.
KB :
KB :--
KB :Corrective Action: Upgrade and use discretion with script variables.
KB :
KB :--
KB :Contributors: Kevin Binsfield (IDS at ...2047...)
KB :
KB :

-------------------------------------------------------------
Nigel Houghton   Security Research Engineer   Sourcefire Inc.
                 Vulnerability Research Team

"Mankind hasn't even got the technology to create a toupee
that doesn't get big laughs." -- Lister




More information about the Snort-sigs mailing list