File: 1245.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (62 lines) | stat: -rw-r--r-- 1,477 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Rule:

--
Sid:
1245

--
Summary:
This event is generated when an attempt is made to access the .idq Indexing Service ISAPI filter. 

--
Impact:
Intelligence gathering activity. If an .idq file is erroneously shared from a network share, an error message is returned from a request that contains the share path will be disclosed.

--
Detailed Information:
Microsoft Internet Information Service (IIS) installs several Internet Service Application Programming Interface (ISAPI) extensions.  The .idq ISAPI filter provides support for Internet Data Queries.  Files with the .idq suffix should not be located on network shares.  If an attempt is made to access them from a network share, an error message is returned disclosing the share path.  

--
Affected Systems:
Hosts running IIS 4.0
Hosts running IIS 5.0

--
Attack Scenarios:
An attacker can attempt to access a file with the .idq suffix in an attempt to receive an error message with disclosure about the share path.

--
Ease of Attack:
Simple. 

--
False Positives:
None Known.

--
False Negatives:
None Known.

--
Corrective Action:
Do not place files with the .idq suffix on a network share.
 

--
Contributors:
Original rule written by Dr SuSE and C. Mayor 
Modified by Brian Caswell <bmc@sourcefire.com>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

Arachnids
http://www.whitehats.com/info/IDS552

CVE
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0071


--