HighRealSecure Server Sensor, RealSecure Network, BlackICE Server Protection, Proventia Server IPS for Microsoft Windows technology, BlackICE Agent for Server, BlackICE PC Protection, Proventia Desktop, Proventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network MFS:
This signature checks for a filename with a dot dot sequence in the Content-Disposition header field of a HTTP response.
High
RealSecure Server Sensor: XPU 22.29, RealSecure Network: XPU 22.29, BlackICE Server Protection: 3.6.cpa, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Agent for Server: 3.6eof, BlackICE PC Protection: 3.6cpa, Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia-G 1.1 and earlier: XPU 22.29, Proventia Network IDS: XPU 22.29, Proventia Network MFS: XPU 1.27, RealSecure Desktop: baseline
IBM AIX, WindRiver BSDOS, HP HP-UX, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X
Unauthorized Access Attempt
The Filename parameter in the Content-Disposition header field allows the sender to suggest a file name. If an application blindly accepts this file name, a file name could be crafted that would allow an attacker to save the file to a known location on the victim's hard drive.
This check is for informational purposes only.
ISS X-Force
HTTP Content-Disposition file name directory traversal
http://www.iss.net/security_center/static/16757.php