Rule:

--
Sid:
2407

--
Summary:
This event is generated when an attempt is made to exploit a known 
vulnerability on a web server or a web application resident on a web
server.

--
Impact:
Information gathering  and system integrity compromise. This rule generates 
an event on a request for the util.pl file, part of the CalaCode @mail 
Webmail system.  Some versions of this software are vulnerable to a cross 
site scripting attack.

--
Detailed Information:
When accessing the webmail service of @mail, a
cross site scripting bug can be abused in the util.pl file.  When
addressing the "settings" bar, Javascript code can be inserted into the
"Displayed Name" field.

This rule will also trigger on some scripted HTTP vulnerability
scans.  Many vulnerability assessment tools include a check which will
verify whether the util.pl file is available on a web server.  There are
multiple other known vulnerabilities in version 3.64 of the @mail system,
and the existance of this file would reveal its presence.

--
Affected Systems:
	@mail version 3.64 and prior

--
Attack Scenarios:
A user can submit malicious Javascript to the "Displayed
Name" field.  As usual with most browsers, this script will be executed
within the security context of the web site.  The session ID of the
connection, which is available from within this security context, can be
abused by the attacker to obtain access to the session and the user's e-mail account.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has
had all vendor supplied patches applied.

Check the host logfiles and application logs for signs of compromise.

--
Contributors:
Snort documentation contributed by Maarten Van Horenbeeck, GCIA <maarten@daemon.be>
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--