HighRealSecure Server Sensor, RealSecure Network, BlackICE Agent for Server, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE PC Protection, Proventia Desktop, Proventia Network IPS, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Server IPS for Linux technology:
This signature checks for a filename with a dot dot sequence in the Content-Disposition header field of a HTTP response.
High
RealSecure Server Sensor: XPU 22.29, RealSecure Network: XPU 22.29, BlackICE Agent for Server: 3.6eof, BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE PC Protection: 3.6cpa, Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, Proventia-G 1.1 and earlier: XPU 22.29, Proventia Network MFS: XPU 1.27, Proventia Server IPS for Linux technology: 1.0
IBM AIX, WindRiver BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X
Unauthorized Access Attempt
The Filename parameter in the Content-Disposition header field allows the sender to suggest a file name. If an application blindly accepts this file name, a file name could be crafted that would allow an attacker to save the file to a known location on the victim's hard drive.
This check is for informational purposes only.
ISS X-Force
HTTP Content-Disposition file name directory traversal
http://www.iss.net/security_center/static/16757.php