[Snort-sigs] SID 1828 change needed

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Mon Jun 2 10:50:07 EDT 2003


Since I, as 'turambar386', posted the original bugtraq advisory on the 
iPlanet search engine file viewing vulnerability, I thought that I would 
write up the documentation for the SID as well, which is SID 1828.

However, I noticed that part of the content that triggers the alert is 
"../../".    My research on the vulnerability proved that it was only 
exploitable using DOS backslashes ("..\..\"). 

I recommend that this rule be changed to trigger on the "NS-query-pat" 
and two dots ("..") rather than any particular type of slash.

Kevin






More information about the Snort-sigs mailing list