File: 1526.txt

package info (click to toggle)
snort 2.9.7.0-5
  • links: PTS, VCS
  • area: main
  • in suites: buster, sid, stretch
  • size: 55,000 kB
  • ctags: 38,464
  • sloc: ansic: 266,667; sh: 12,508; makefile: 2,908; yacc: 497; perl: 496; lex: 261; sed: 14
file content (58 lines) | stat: -rw-r--r-- 2,249 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Rule:  

--
Sid:
1526

--
Summary:
This event is generated when an attempt is made to access the file sendmail.inc on a webserver running Basilix webmail.

--
Impact:
Medium - Password disclosure: Depending if the attacker can use this login credentials to authenticate directly to a mysql database. Many Sun Cobalt Linux servers use Basilix webmail

--
Detailed Information:
A webserver usually sends files in the webroot to an anonymous user without further processing. PHP scripts often include files (which contains configuration variables / functions etc.) that are not stored using a suffix that prevents the webserver sending them in clear text. ".inc" and ".class" suffix are not a handled by CGI properly and the file "sendmail.inc" is sent to the attacker. /inc/mysql.class can also be accessed and this would lead to a mysql user/password disclosure.

Basilix is a webmail PHP script. Features are nice but it has some vulnerabilities (old versions).

An attacker can access sendmail.inc file to obtain MySQL login and use it for further attacks.

--
Attack Scenarios:
An attacker gets mysql.class containing database login credentials. If the webserver is shared by multiple users, the attacker which is also user for instance, can connect to the database server using the login provided by mysql.class file and modify the database. Often the password doesn't differ from FTP login, HTTP user authentication, etc. because the authentication is centralised by the OS.

--
Ease of Attack:
Simple.

--
False Positives:
Sendmail.inc file doesn't exist or is handled by CGI which results probably in no output when an attacker tries to access the file.

--
False Negatives:
None known

--
Corrective Action:
Update Basilix script (www.basilix.org)

Check files which contain php code for a suffix that is handled by the webserver CGI, else the webserver sends this file plaintext to an attacker

Workaround: register .inc and .class in the same way .php or .php3  .php4 are registered.
Note: .class is used by java applets usually

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Additional Snort documentation contributed by unknown

-- 
Additional References:

--