[Snort-sigs] Mistake in rule 2196

Ofer Shezaf ofer at ...2970...
Wed Jan 26 05:20:29 EST 2005


While most of you probably will never encounter an event on rule 2196 It
seems to have a mistake in it:

web-cgi.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-CGI catgy.cgi access"; flow:to_server,established;
uricontent:"/alert.cgi"; nocase; reference:bugtraq,3714;
reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748;
classtype:web-application-activity; sid:2196; rev:6;)

catgy.cgi is certainly not alert.cgi. 
 
The exploit provided by security focus at also suggests that the write
signature condition is "catgy.cgi":
https://host/aktivate/cgi-bin/catgy.cgi?key=0&cartname=axa200135022551
089&desc=<script>alert(document.domain)</script>

(http://www.securityfocus.com/bid/3714/exploit/)

While checking it I also noticed that the second bugtraq reference, 4579
does not seem to be in place. When investigating it, I found that it is a
very popular reference.

~ Ofer

Ofer Shezaf
CTO, Breach Security

Tel: +972.9.956.0036 ext.212
Cell: +972.54.443.1119
ofers at ...2971...
http://www.breach.com 






More information about the Snort-sigs mailing list