[Snort-sigs] SID 2405: WEB-PHP phptest.php access

Maarten Van Horenbeeck maarten at ...2078...
Wed Jun 9 23:26:02 EDT 2004

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule: WEB-PHP phptest.php access

Sid: 2405

Summary:  A web client attempted to access the file "phptest.php".
BadBlue Personal Edition 2.4 servers could disclose confidential
information on the software configuration towards an attacker.

Impact:  This signature is usually indicative of a reconaissance probe.
Succesful exploitation would provide the originator of the attack with the
installation path of the software.

Detailed Information:  Web servers running BadBlue Personal Edition 2.4, a
personal file sharing server, are vulnerable to a path disclosure attack.
When a client requests the phptest.php file from such a server, the source
of the HTTP reply page contains the installation path of the software.
This path can be used as information for further attacks.

Affected Systems:  BadBlue Personal Edition 2.4.

Attack Scenarios:  During the reconaissance phase, an attacker could
obtain the installation path of the BadBlue server.  This can become
valuable information during the later execution of directory traversal or
buffer overflow attacks.

Ease of Attack:  This vulnerability can be exploited through one single
HTTP request.

False Positives:  While not a true false positive, many PHP installation
howtos advise to create a small file "phptest.php" which contains a call
for the phpinfo() function.  When this file is accessed legitimately by
someone testing a fresh install, this signature will also trigger.  Please
note that due to the amount of information provided (installation
directory, version numbers, environment variables), this in itself could
also constitute a vulnerability, if this file is present on a production
web server.

False Negatives:  There are no known false negatives for this signature.

Corrective Action:  Upgrade BadBlue Personal Edition to version 2.5,
available from <a href="http://www.badblue.com">badblue.com</a>.  This
version does not contain the "phptest.php" file, thereby removing this


Additional References:
Bugtraq ID <a href="http://www.securityfocus.com/bid/9737/">9737</a>
ISS  <a href="http://xforce.iss.net/xforce/xfdb/15311">badblue-phptestphp-path-disclosure</a>

More information about the Snort-sigs mailing list