[Snort-sigs] SID 1071 documentation
kevin.peuhkurinen at ...1555...
Wed Jun 11 09:27:02 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
.htpasswd access"; flow:to_server,established; content:".htpasswd";
nocase; classtype:web-application-attack; sid:1071; rev:5;)
A client is requesting the file ".htpasswd" from your web server.
If this request is successful, it could provide an attacker with
valuable information needed to compromise your website.
Most *nix based web servers, such as Apache and Netscape Enterprise
Server, use ".htpasswd" files to store user names and encrypted
passwords. The users listed in these files are referred to by
".htaccess" files that can be stored in specific directories. Best
practices dictate that ".htpasswd" files be kept out of the URI path
entirely. However, in some cases exceptions to this practice are made,
in which case the server software should be configured to disallow
direct client access to this file.
Any system that uses ".htpasswd" files, stores them in the URI path, and
which have misconfigured the server to allow client access to them.
This is an information gathering operation which could facilitate an attack.
Ease of Attack:
It is simple to send a request for this file, but the request would only
be successful if the file exists and the server allows access to it.
First determine if the attack is successful by requesting the file
yourself. If the request is granted, re-evaluate if this file needs to
be in the web site path, and ensure that your web server is configured
to deny access to all files that begin with ".ht".
More information about the Snort-sigs