[Snort-sigs] SID 1103 documentation

Kevin Peuhkurinen kevin.peuhkurinen at ...1555...
Thu Jun 12 08:03:08 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC 
Netscape admin passwd"; flow:to_server,established; 
uricontent:"/admin-serv/config/admpw"; nocase;reference:bugtraq,1579; 
classtype:web-application-attack; sid:1103; rev:7;)
--
Sid:
1103
--
Summary:
A client is requesting a file that may contain an administrator name and 
password.
--
Impact:
An attacker may be able to gain administrator access to your web server.
--
Detailed Information:
Some versions of Netscape Enterprise Server  put a world readable text 
file containing the administrator user name and encrypted password in a 
standard location within the URI space.    By acessing this, an attacker 
may be able to brute force guess or even decrypt the password.
--
Affected Systems:
Netscape Enterprise/3.6 SP3
Netscape Fasttrack/3.0.2
Netscape Messaging Server/3.6
Netscape Messaging Server/4.15p2
Netscape Collabra Server/3.54
--
Attack Scenarios:
This is an information gathering operation that could allow an attacker 
to execute a brute force password guessing attack.
--
Ease of Attack:
Moderate.   The file is easy enough to get access to, but the password 
is still encrypted.
--
False Positives:
None.
--
False Negatives:
None known.
--
Corrective Action:
Set appropriate permissions on this file or upgrade your web server 
software.
--
Contributors:
Kevin Peuhkurinen
-- 
Additional References:
http://www.securiteam.com/securitynews/5OR040A1UG.html






More information about the Snort-sigs mailing list