Rule: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webstore directory traversal"; uricontent:"/web_store.cgi?page=../.."; flags:A+; classtype:web-application-attack; sid:1094; rev:2;) -- Sid: 1094 -- Summary: Someone tried to abuse a web_store.cgi vulnerability to read a file on a web server. -- Impact: An attacker may have accessed any file on the web server accessable by the user the web server runs as, possibly including sensitive files. -- Detailed Information: Some versions of Extropia WebStore contain a vulnerability in web_store.cgi that can allow an attacker to read arbitrary files on the web server through a directory traversal attack. Any file that the user that the web server runs as can read can be accessed. -- Attack Scenarios: An attacker sends a web request like the following: http://target/cgi-bin/Web_Store/web_store.cgi?page=../../../path/filename%00ext -- Ease of Attack: Fairly simple URL sent by the attacker. The attacker will have to make some educated guesses of directory structures. -- False Positives: -- False Negatives: -- Corrective Action: Examine the packet to determine what file was accessed. If the targetted web server runs a vulnerable version web_store, consider launching an investigation. -- Contributors: -- Additional References: CVE: CVE-2000-1005 Bugtraq: BID 1174