Preface: HTTP URL directory traversal/climbingLogo -Internet Security Systems

HTTP URL directory traversal/climbing
advICE :Intrusions : 2000603
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

It looks like an intruder is trying to read other files from your system (other than the ones you intended to share).

Details

A common bug with web servers is when a hacker specifies a URL that looks something like /../../../foo/bar.txt. The contents of the website are usually in a subdirectory. The series of "../.." go up the directory structure, then down to the desired file.

The reason this attack works is because the programmer doesn't double-check the URL to see if it is a valid file in the website.

False Positives

This alert triggers whenever a URL contains a series of ../... Bad links in web-pages on a website can sometimes cause this alert. In this case, it indicates a misconfiguration, rather than an intrusion.

Defense

First, check the URL parameter of the alert to see what the file was the intruder accessed. Then check to see if the intruder successfully accessed the file. If it was a sensitive file, and the attacker was successful, you will need to take appropriate action. For example, if the attacker successfully grabbed the password file, then you will need to change all the passwords.

You should also make sure that the web-server in question is the latest version with the latest security patches applied. Most of these attacks are against "imbedded" web-servers (i.e. web-servers included as part of other products) rather than real web-servers like Apache and IIS.

 more information
Directory Traversal  
 
CERT: CA-97.24.Count_cgi   Buffer Overrun Vulnerability in Count.cgi cgi-bin Program
A discussion of this bug in relation to a vulnerable CGI program that can be hacked.  
Microsoft Advisory on FrontPage PWS  
Some versions of the FrontPage Personal Web Server (PWS) for Windows have this bug.  
BugTraq: security hole in ICQ-Webserver  
An example home-user application that will allow a hacker to read all the files from a machine.  
eEye: Multiple Web Interface Security Holes  
Advisory on numerous web services, including CMail, FTGate, and NTMail  
BugtraqID: 2386   ITAfrica WEBactive Directory Traversal Vulnerability
 
BugtraqID: 2384   Caucho Technology Resin Directory Transversal Vulnerability
 
BugtraqID: 1777   Hassan Consulting Shopping Cart Directory Traversal Vulnerability
 
BugtraqID: 1776   Bytes Interactive Web Shopper Directory Traversal Vulnerability
 
BugtraqID: 1773   PHPix Directory Traversal Vulnerability
 
BugtraqID: 1626   Worm httpd Directory Traversal Vulnerability
 
BugtraqID: 1537   NAI Net Tools PKI Server Directory Traversal Vulnerability
 
BugtraqID: 1508   SimpleServer WWW Directory Traversal Vulnerability
 
BugtraqID: 1471   Virtual Vision FTP Browser Vulnerability
 
BugtraqID: 1462   Deerfield WorldClient 2.1
 
BugtraqID: 1455   BB4 Technologies Big Brother Directory Traversal Vulnerability
 
BugtraqID: 1243   HP Web JetAdmin Directory Traversal Vulnerability
 
BugtraqID: 1231   MetaProducts Offline Explorer Directory Traversal Vulnerability
 
BugtraqID: 1164   UltraBoard Directory Traversal Vulnerability
 
BugtraqID: 1103   AVM KEN! 1.3.10 Directory Traversal Vulnerability
 
BugtraqID: 968   NT IIS idq.dll Directory Traversal Vulnerability
 
BugtraqID: 773   Etype Eserv Directory Traversal Vulnerability
 
BugtraqID: 772   FTGate Directory Traversal Vulnerability
 
BugtraqID: 746   Pacific Software URL Live! Directory Traversal Vulnerability
 
BugtraqID: 743   Falcon Web Server Directory Traversal Vulnerability
 
BugtraqID: 691   Cisco PIX Firewall Manager File Exposure
 
BugtraqID: 689   TeamShare TeamTrack Directory Traversal Vulnerability
 
BugtraqID: 620   Sybase Power Dynamo Directory Traversal Vulnerability
This personal web server is vulnerable to this bug.  
BugtraqID: 110   Metainfo MetaIP and Sendmail Vulnerabilities
 
BugtraqID: 1102   TalentSoft Web+ Directory Traversal Vulnerability
 
CVE-2000-0174   StarOffice StarScheduler web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.
 
CVE-2000-0261   The AVM KEN! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.
 
CVE-1999-0474   ICQ Webserver allows remote directory climbing
 
CVE-1999-0695   Sybase PowerDynamo personal web server directory climbing
 
CVE-1999-0842   Symantec Mail-Gear 1.0 web interface server allows remote users to read arbitrary files via a .. (dot dot) attack.
 
CVE-1999-0881   Falcon web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.
 
CVE-1999-0887   FTGate web interface server allows remote attackers to read files via a .. (dot dot) attack.
 
CVE-1999-0897   iChat ROOMS Webserver allows remote attackers to read arbitrary files via a .. (dot dot) attack.
 
CVE-1999-0915   URL Live! web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.
 
CVE-1999-0933   TeamTrack web server allows remote attackers to read arbitrary files via a .. (dot dot) attack.
 

 parametric information
URLThe suspicious URL.
accessedIndicates whether the URL was successfully accessed.
codeThe HTTP return code.
argThe argument to the GET command (if any).

 configuration for this item
http.dotdotpath../../../..An intrusion detection is triggered if the path name contains this substring.

 
Version appeared:
Privacy Policy |  Copyright Info