File: 2405.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (72 lines) | stat: -rw-r--r-- 2,029 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
Rule:

--
Sid:
2405

--
Summary:
This event is generated when an attempt is made to access the file "phptest.php".
BadBlue Personal Edition 2.4 servers could disclose confidential
information on the software configuration towards an attacker.

--
Impact:
Information gathering.
This signature is usually indicative of a reconaissance probe.
Succesful exploitation would provide the originator of the attack with the
installation path of the software.

--
Detailed Information:
Web servers running BadBlue Personal Edition 2.4, a
personal file sharing server, are vulnerable to a path disclosure attack.
When a client requests the phptest.php file from such a server, the source
of the HTTP reply page contains the installation path of the software.
This path can be used as information for further attacks.

--
Affected Systems:
	BadBlue Personal Edition 2.4

--
Attack Scenarios:
During the reconaissance phase, an attacker could obtain the installation 
path of the BadBlue server.  This can become valuable information during 
the later execution of directory traversal or buffer overflow attacks.

--
Ease of Attack:
Simple.

--
False Positives:
While not a true false positive, many PHP installation howtos advise the 
creation of a small file "phptest.php" which contains a call for the 
phpinfo() function.  When this file is accessed legitimately by
someone testing a fresh install, this signature will also trigger.

NOTE: The amount of information provided (installation directory, version 
numbers, environment variables), could also constitute a vulnerability 
if this file is present on a production web server.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has
had all vendor supplied patches applied.

--
Contributors:
Snort documentation contributed by Maarten Van Horenbeeck <maarten@daemon.be>
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--