[Snort-sigs] SID 1043 documentation
kevin.peuhkurinen at ...1555...
Wed Jun 11 09:05:05 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS
viewcode.asp access"; uricontent:"/viewcode.asp"; nocase;
classtype:web-application-activity; sid:1043; rev:6;)
An attacker is attempting to access the 'viewcode.asp' file on your web
If successful, this attack will display the contents of any file on the
server. In addition, it has been reported that this tool is vulnerable
to a denial of service attack.
'viewcode.asp' is a utility that ships with various Microsoft products
and is meant to allow web site administrators to view the code of active
server pages during development. As it will display the contents of
any file on the server, it should not be present on a production system,
but is installed by default with some products or as an option on
others. As well, the tool may be vulnerable to a denial of service attack.
Microsoft Site Server 3.0
Microsoft Site Server 3.0 Commerce Edition
Microsoft Commercial Internet System 2.0
Microsoft BackOffice Server 4.0
Microsoft BackOffice Server 4.5
Microsoft Internet Information Server 4.0
An attacker can use this tool to steal data or to gather user
names/passwords and other information that could facilitate other types
Ease of Attack:
Remove any copies of 'viewcode.asp' from your server.
More information about the Snort-sigs