[Snort-sigs] fix typo "/calendar-admin.pl" to "/calendar_admin.pl" on sid 1701 (snortrule24)

Nigel Houghton nigel at ...435...
Thu Aug 18 13:16:36 EDT 2005


On  0, rmkml <rmkml at ...324...> allegedly wrote:
> Hi,
> 
> sid 1701 :
> web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
> (msg:"WEB-CGI calendar-admin.pl access"; flow:to_server,established; 
> uricontent:"/calendar-admin.pl"; nocase; reference:bugtraq,1215; 
> classtype:web-application-activity; sid:1701; rev:4;)
> 
> but bid 1215 is :
>   http://online.securityfocus.com/bid/1215/exploit
> 
> and cve 2000-0432 confirm this :
>   Reference: BUGTRAQ:20000516 Vuln in calender.pl (Matt Kruse calender 
>   script)
>   Reference: BID:1215
>   Reference: XF:http-cgi-calendar-execute
>   The calender.pl and the calendar_admin.pl calendar scripts by Matt
>   Kruse allow remote attackers to execute arbitrary commands via shell
>   metacharacters.

That is correct and it is why we have sids 1536 and 1537. Some scanning
attempts do not spell things quite correctly and do not always use the
correct name for a particular script.

+--------------------------------------------------------------------+
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!




More information about the Snort-sigs mailing list