Rule:  

Sid:
1073

--

Summary:
This event is generated when an attempt is made to read web application
source code.

--
Impact:
Information gathering.

--
Detailed Information:
The webhits.exe sample program that comes with Microsoft Index Server in IIS
contains a vulnerability that allows the reading of web application source
code.

Sometimes web application source code contains highly sensitive information,
such as database passwords and information concerning backend setups.  This
could be a prelude to further attacks.

--
Affected Systems:
	Microsoft Index Server when deployed in conjunction with Microsoft IIS.

--
Attack Scenarios:
Attacker sends a simple URL like the following and then chooses which
file they want to view:
http://servername/scripts/samples/search/webhits.exe

--
Ease of Attack:
Simple. No exploit software required.

--
False Positives:
None Known.

--
False Negatives:
None Known

--
Corrective Action:
Remove the samples directory from the webserver.

Check the host for signs of compromise.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Alex Kirk <alex.kirk@sourcefire.com>

--
Additional References:

http://www.win2000mag.com/Articles/Index.cfm?ArticleID=475&pg=2

http://secinf.net/info/www/cgi-bugs.htm

--