[Snort-sigs] SID 1043 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Wed Jun 11 09:05:05 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
viewcode.asp access"; uricontent:"/viewcode.asp"; nocase;
flow:to_server,established; reference:nessus,10576;
classtype:web-application-activity; sid:1043; rev:6;)
--
Sid:
1043
--
Summary:
An attacker is attempting to access the 'viewcode.asp' file on your web 
server.
--
Impact:
If successful, this attack will display the contents of any file on the 
server.   In addition, it has been reported that this tool is vulnerable 
to a denial of service attack.
--
Detailed Information:
'viewcode.asp' is a utility that ships with various Microsoft products 
and is meant to allow web site administrators to view the code of active 
server pages during development.   As it will display the contents of 
any file on the server, it should not be present on a production system, 
but is installed by default with some products or as an option on 
others.   As well, the tool may be vulnerable to a denial of service attack.
--
Affected Systems:
Microsoft Site Server 3.0
Microsoft Site Server 3.0 Commerce Edition
Microsoft Commercial Internet System 2.0
Microsoft BackOffice Server 4.0
Microsoft BackOffice Server 4.5
Microsoft Internet Information Server 4.0
--
Attack Scenarios:
An attacker can use this tool to steal data or to gather user 
names/passwords and other information that could facilitate other types 
of attack.
--
Ease of Attack:
Easy.
--
False Positives:
None.
--
False Negatives:
None.
--
Corrective Action:
Remove any copies of 'viewcode.asp' from your server.
--
Contributors:
Kevin Peuhkurinen
-- 
Additional References:
http://www.insecure.org/sploits/ms.backoffice.source.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q231368&sd=tech






More information about the Snort-sigs mailing list