[Snort-sigs] SID 1520

Jon warchild at ...288...
Sat Feb 1 11:53:23 EST 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
#
# 

Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
server-info access"; flow:to_server,established; uricontent:"/server-info";
classtype:web-application-activity; sid:1520; rev:4;)

--
Sid:

1520

--
Summary:

Access to the "/server-info" url was detected.  Using the Apache webserver,
this url is generally handled by the mod_info module, which will happily
disclose valuable information about your webserver which may aid in their
attack.

--
Impact:

If mod_info is in use and the attacking host is allowed to access it, they
will be able to see every possible configuration option that your Apache
server is using.  This includes ACLs, modules, file and directory names, and
other valuable information that will help an attacker determine ways of
attacking your server.

--
Detailed Information:

The mod_info module "provides a comprehensive overview of the server
configuration including all installed modules and directives in the
configuration files" for the Apache webserver.  Successfully accessing the url
that is handle by mod_info may give an attacker valuable information about
your server.

--
Attack Scenarios:

As part of an attack against your Apache webserver, an attacker may try to
access "/server-info" which is typically handled by the mod_info module.  If
cuessful, this will give them valuable information about your webserver,
including all modules, versions, file names and directories, usernames, and
ACLs.  This will help them determine what ways to attack your Apache server,
or ways to attack the machine itself. 

--
Ease of Attack:

Trivial.  All that is needed is the ability to access this host + url:

`lynx http://victim/server-info`

--
False Positives:

Few, but certainly possible.  Since this rule only checks for the
existance of "/server-info" in the url, any url containing that string will
trigger this rule.  A few common false positives may include urls like:

http://victim/server-info/contact.html
http://victim/really/long/directory/server-info.html

--
False Negatives:

Rare.  The default location that the mod_info module watches is /server-info,
but this can be changed by the owner of the server.  If this is changed (say,
to something like /server_info), this snort rule will not catch the attack.
However, an attacking host will have to guess if the default location has been
changed.

--
Corrective Action:

Determine if server-info exists on the victim in question, and if the attacker
is allowed to access it.  If so, evaluate what information the attacker would
have gained.  If mod_info is necessary on this server, consider restricting
access to it via Apache directives, i.e.:


<Location /server-info>
    SetHandler server-info
    Order deny,allow
    Deny from all
    Allow from .yourdomain.net
</Location>


--
Contributors:

Jon Hart <warchild at ...288...>

-- 
Additional References:

http://httpd.apache.org/docs/mod/mod_info.html




More information about the Snort-sigs mailing list