[Snort-sigs] FP for sid:1107
jeff-kell at ...922...
Thu Aug 4 21:11:12 EDT 2005
Rule: WEB-MISC ftp.pl access
Additional References: given bugtraq: 1471 description, existing signature is not specific enough.
Detailed Information: Involves a canned ftp script with a directory traversal weakness. Existing signature only checks uricontent:"/ftp.pl"; nocase;
This particular script/exploit also requires an &dir= parameter with a directory traversal indication, so at a minimum I would add uricontent:"&dir="; nocase; distance 1; within 20; and if you want it to be even more stringent, add uricontent:"../"; distance 1; within 20;
Or just disable the rule (target is Virtual Vision FTP Browser from July 2000).
More information about the Snort-sigs