[Snort-sigs] SID 1828 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Mon Jun 9 12:29:05 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

iPlanet Search directory traversal attempt"; flow:established,to_server; 
uricontent:"/search"; content:"NS-query-pat="; content:"../../"; 
reference:nessus,11043; reference:bugtraq,5191; 
classtype:web-application-attack; sid:1828; rev:3;)
An attacker is attempting to use a vulnerability in the search 
functionality of certain web servers to view otherwise restricted files.
If successful, this attack will allow an attacker to view the contents 
of any file on your server.
Detailed Information:
The search engine in older versions of Netscape Enterprise Server and 
its succesors uses HTML formatted pattern files to query users for 
search paramters and return the results. The “NS-query-pat” command 
allows clients to specify a pattern file other than the default. 
Unfortunately, the search engine does not validate the filename 
requested and allows clients to specify any file on the server, which is 
then displayed to the client.
Affected Systems:
Netscape Enterprise Server 3.6 and earlier
iPlanet Web Server 4.1
iPlanet/Sun ONE Web Server 6.0 up to Service Pack 4
Netscape Enterprise Server 6.0
Attack Scenarios:
An attacker could use this vulnerability to find user names and 
passwords, SSL certificate files and related passwords, source code, or 
just about any other information on the server.
Ease of Attack:
Very easy.
False Positives:
False Negatives:
None known.
Corrective Action:
Disable the search engine or procure a patch from your web server vendor.
Kevin Peuhkurinen (aka turambar386)
Additional References:

More information about the Snort-sigs mailing list