File: 1288.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (69 lines) | stat: -rw-r--r-- 1,714 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
Rule:

--
Sid:
1288

--
Summary:
This event is generated when an attempt is made to exploit a known 
vulnerability in a web server running Microsoft FrontPage
Server Extensions.

--
Impact:
Information gathering and system integrity compromise. Possible unauthorized
administrative access to the server or application. Possible execution
of arbitrary code of the attackers choosing in some cases. Denial of
Service is possible.

--
Detailed Information:
This event is generated when an attempt is made to compromise a host
running Microsoft FrontPage Server Extensions. Many known
vulnerabilities exist for this platform and the attack scenarios are
legion. In particular this rule generates events when the directory
_vti_bin is accessed. This directory contains sensitive files that may
be utilized in an attack against the server.

--
Affected Systems:
	All systems running Microsoft FrontPage Server Extensions

--
Attack Scenarios:
Many attack vectors are possible from simple directory traversal to
exploitation of buffer overflow conditions.

--
Ease of Attack:
Simple. Many exploits exist.

--
False Positives:
A user who is using the "discuss" toolbar in Microsoft Internet Explorer
may inadvertently generate an event from this rule, due to the browser
making a check for Office Server Extensions. See this URI for more
details.

 http://www.webmasterworld.com/forum39/2158.htm

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has
had all vendor supplied patches applied.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--