[Snort-sigs] SID 2407: WEB-MISC util.pl access

Matthew Watchinski mwatchinski at ...435...
Wed Jun 9 15:23:01 EDT 2004


Just a quick comment.

The false positive section says to disable if your patched, you might want to 
add addition information about even if your patched you might not want to 
disable this signature.  CGI scanners will set this signature off and depending 
on your security policy you might want to be alerted to this type of traffic.

Cheers,
-matt


Maarten Van Horenbeeck wrote:
> # This is a template for submitting snort signature descriptions to
> # the snort.org website
> #
> # Ensure that your descriptions are your own
> # and not the work of others.  References in the rules themselves
> # should be used for linking to other's work.
> #
> # If you are unsure of some part of a rule, use that as a commentary
> # and someone else perhaps will be able to fix it.
> #
> # $Id$
> #
> #
> 
> Rule:  WEB-MISC util.pl access
> 
> --
> Sid: 2407
> 
> --
> Summary:  This signature triggers on a request for the util.pl file, part
> of the CalaCode @mail Webmail system.  Some versions of this software are
> vulnerable to a cross site scripting attack.
> 
> --
> Impact:  This signature usually indicates a reconaissance attempt.
> Succesful exploitation may lead to invalid content being provided to
> end-users.
> 
> --
> Detailed Information:  When accessing the webmail service of @mail, a
> cross site scripting bug can be abused in the util.pl file.  When
> addressing the "settings" bar, Javascript code can be inserted into the
> "Displayed Name" field.
> 
> This signature will also trigger on some scripted HTTP vulnerability
> scans.  Many vulnerability assessment tools include a check which will
> verify whether the util.pl file is available on a web server.  There are
> multiple other known vulnerabilities in version 3.64 of the @mail system,
> and the existance of this file would reveal its presence.
> 
> --
> Affected Systems:  Machines running @mail version 3.64.  Older versions
> may also be vulnerable, though this has never been confirmed.
> 
> --
> Attack Scenarios: A user can submit malicious Javascript to the "Displayed
> Name" field.  As usual with most browsers, this script will be executed
> within the security context of the web site.  The session ID of the
> connection, which is available from within this security context, can be
> abused by the attacker to obtain access to the session and the user's
> e-mail account.
> 
> --
> Ease of Attack:  Exploitation can be done easily by tricking the user into
> visiting a certain URL.
> 
> --
> False Positives:  This signature solely triggers on a request for a
> util.pl file.  This means that it will trigger on patched systems which
> are using @mail.  If you are using this application, and it is patched
> against this vulnerability, this signature should be disabled.
> 
> --
> False Negatives:  There are no known false negatives.
> 
> --
> Corrective Action: If you are a user of @mail version 3.64 or lower,
> contact your <a href="http://www.atmail.com">vendor</a> for a patch.
> 
> --
> Contributors:  Vulnerability was initially discovered by <a
> href=mailto:"dr_insane at ...2543...">dr_insane at ...2543..."</a>.
> 
> 





More information about the Snort-sigs mailing list