[Snort-sigs] SID 1129 documentation
kevin.peuhkurinen at ...1555...
Tue Jun 10 06:23:11 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
.htaccess access"; flow:to_server,established; content:".htaccess";
nocase; classtype:attempted-recon; sid:1129; rev:4;)
A client is requesting the file ".htaccess" from your web server.
If this request is successful, it could provide an attacker with
valuable information needed to compromise your website.
Most *nix based web servers, such as Apache and Netscape Enterprise
Server, use ".htaccess" files to customize security settings on a
per-directory level. These files can specify things like what users
have access to what resources,
hosts that are allowed or denied, and what type of authentication system
to use. This type of data would be most useful for carrying out an
attack on the site. Fortunately, all modern web servers deny client
access to these files by default.
Any system that uses ".htaccess" files and which have misconfigured the
server to allow client access to them.
This is an information gathering operation which could facilitate an attack.
Ease of Attack:
It is simple to send a request for this file, but the request would only
be successful if the file exists and the server allows access to it.
While unlikely, certain web servers that are set up to host multiple
users' sites may allow access to this file by the site owners.
First determine if the attack is successful by requesting the file
yourself. If the request is granted, ensure that your web server is
configured to deny access to all files that begin with ".ht".
More information about the Snort-sigs