[Snort-sigs] SID 1828 change needed
kevin.peuhkurinen at ...1555...
Mon Jun 2 10:50:07 EDT 2003
Since I, as 'turambar386', posted the original bugtraq advisory on the
iPlanet search engine file viewing vulnerability, I thought that I would
write up the documentation for the SID as well, which is SID 1828.
However, I noticed that part of the content that triggers the alert is
"../../". My research on the vulnerability proved that it was only
exploitable using DOS backslashes ("..\..\").
I recommend that this rule be changed to trigger on the "NS-query-pat"
and two dots ("..") rather than any particular type of slash.
More information about the Snort-sigs