[Snort-sigs] SID 1050 documentation
kevin.peuhkurinen at ...1555...
Thu Jun 12 07:00:14 EDT 2003
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
iPlanet GETPROPERTIES attempt"; flow:to_server,established;
content:"GETPROPERTIES"; offset:0; depth:13;
classtype:web-application-attack; sid:1050; rev:6;)
A buffer overflow attack may be in process.
If successful, this attack will allow attackers to run code of their
choosing on your server.
The web publishing feature in iPlanet Web Server 4.1 is vulnerable to a
iPlanet Web Server 4.1 up to Service Pack 8
An attacker can spawn a remote shell on the server and execute any
command they desire.
Ease of Attack:
Difficult. Exploit code does not appear to exist as of June 2003, so an
attacker would need to write the code themselves.
Legimate uses of web publishing.
This vulnerability can be exploited using any number of web publishing
commands, however this signature only triggers on one specific command
Disable web publishing or upgrade your web server software.
More information about the Snort-sigs