|
2000603 : HTTP "dot dot" sequences |
|
Medium RiskQuick Links
- Event Description
- Products that have this security check
- Affected platforms
- How to remove this vulnerability
- References
- Information about this document
Event description
An attacker can traverse directories on vulnerable Web servers by using "dot dot" (/../) sequences in URLs, allowing the attacker to read any file on the target HTTP server that is world-readable or readable by the ID of the HTTP process. For example, a URL of the form (http://www.domain.com/..\..) allows anyone to browse and download files outside of the Web server content root directory. URLs such as (http://www.domain.com/scripts..\..\) script-name could allow an attacker to execute the target script. An attacker can use a listing of this directory as additional information for planning a structured attack, or could download files elsewhere in the file system.
Products that have this security check
- BlackICE Agent for Server
- BlackICE PC Protection
- BlackICE Server Protection
- Proventia Desktop
- Proventia Network IDS
- Proventia Network IPS
- Proventia Network MFS
- Proventia Server IPS for Linux technology
- Proventia Server IPS for Microsoft Windows technology
- RealSecure Desktop
- RealSecure Desktop Protector
- RealSecure Desktop Protector 3.6
- RealSecure Guard
- RealSecure Network
- RealSecure Sentry
- RealSecure Server Sensor
| HTTP_DotDot | |
This signature detects HTTP GET requests that contain a tunable number of "../" sequences in the URL. The default number of such patterns is defined by the tuning parameter pam.http_dotdot.limit. The following common file extensions are ignored when triggering this event: .htm, .html, .asp, .aspx, .jpg, .gif, .mpg, .mp3, .pdf, .wmv, .wav, .cfm, .bmp, .jpeg, and .mpeg. | |
| False Positive: | This event does not necessarily indicate a successful attack. |
Affected platforms
- Apple Mac OSCisco IOSCompaq Tru64Data General DG/UXHP HP-UXIBM AIXIBM OS2Linux KernelMicrosoft Windows 2000Microsoft Windows 2003 ServerMicrosoft Windows 95Microsoft Windows 98Microsoft Windows 98SEMicrosoft Windows MeMicrosoft Windows NT 4.0Microsoft Windows XPNovell NetWareSCO SCO UnixSGI IRIXSun SolarisVarious vendors Any Web serverWindRiver BSDOS
How to remove this vulnerability
Check with the vendor and documentation of your Web server software for information on configuring your server to remove this vulnerability.
— OR —
Upgrade to the latest version of your Web server software. Contact your vendor for more information.
References
IBM Internet Security Systems X-Force Database
IIS crashes processing some GET commands
http://xforce.iss.net/xforce/xfdb/1638
Common Vulnerabilities and Exposures
Denial of service in Windows NT IIS server using ..\..
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0229
Information about this document
The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than Internet Security Systems. Use of this information constitutes acceptance for use in an "AS IS" condition, without warranties of any kind, and any use of this information is at the user's own risk. Internet Security Systems disclaims all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Internet Security Systems be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if Internet Security Systems has been advised of the possibility of such damages.
Copyright © 1997 – 2008 IBM Internet Security Systems. All rights reserved.
This page was created on Thu Dec 4 07:59:44 2008