[Snort-sigs] SID 1828 documentation
kevin.peuhkurinen at ...1555...
Mon Jun 9 12:29:05 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
iPlanet Search directory traversal attempt"; flow:established,to_server;
uricontent:"/search"; content:"NS-query-pat="; content:"../../";
classtype:web-application-attack; sid:1828; rev:3;)
An attacker is attempting to use a vulnerability in the search
functionality of certain web servers to view otherwise restricted files.
If successful, this attack will allow an attacker to view the contents
of any file on your server.
The search engine in older versions of Netscape Enterprise Server and
its succesors uses HTML formatted pattern files to query users for
search paramters and return the results. The “NS-query-pat” command
allows clients to specify a pattern file other than the default.
Unfortunately, the search engine does not validate the filename
requested and allows clients to specify any file on the server, which is
then displayed to the client.
Netscape Enterprise Server 3.6 and earlier
iPlanet Web Server 4.1
iPlanet/Sun ONE Web Server 6.0 up to Service Pack 4
Netscape Enterprise Server 6.0
An attacker could use this vulnerability to find user names and
passwords, SSL certificate files and related passwords, source code, or
just about any other information on the server.
Ease of Attack:
Disable the search engine or procure a patch from your web server vendor.
Kevin Peuhkurinen (aka turambar386)
More information about the Snort-sigs