[Snort-sigs] false uricontent on sid 1600 ?

rmkml rmkml at ...324...
Fri Aug 26 12:53:20 EDT 2005


Hi,

look sid 1600 :
web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-CGI htsearch arbitrary configuration file attempt"; 
flow:to_server,established; uricontent:"/htsearch?-c"; nocase; 
reference:cve,2000-0208; classtype:web-application-attack; sid:1600; 
rev:6;)

Found snort msg on nessus script :
  script_id(10385);
  script_cve_id("CAN-2000-1191");
  script_bugtraq_id(4366);
  name["english"] = "ht://Dig's htsearch reveals web server path";
...
  desc["english"] = "ht://Dig's htsearch CGI can be
used to reveal the path location of the its configuration files.
This allows attacker to gather sensitive information about the remote 
host.
For more information see:
http://www.securiteam.com/exploits/htDig_reveals_web_server_configuration_paths.html
...
foreach dir (cgi_dirs())
{
   req = string(dir, 
"/htsearch?config=foofighter&restrict=&exclude=&method=and&format=builtin-long&sort=score&words=");


ok also, modify uricontent to "/htsearch?config" ?
modify cve 2000-0208 -> 2000-1191
add ref BID 4366 and nessus 10385 and osvdb 292

Regards
Rmkml




More information about the Snort-sigs mailing list