HTTP GET request contains "dot dot dot" (HTTP_GET_Dotdotdot_Data)

About this signature or vulnerability

RealSecure Network, RealSecure Server Sensor, RealSecure Desktop Protector, BlackICE Agent for Server, BlackICE PC Protection, RealSecure Sentry, RealSecure Guard, Proventia Server IPS for Microsoft Windows technology, BlackICE Server Protection, Proventia Network MFS, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Desktop, Proventia Network IPS:

This signature detects HTTP GET requests that contain "/..." in the argument data.

This signature detects HTTP GET requests that contain "/..." in the data.


Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

RealSecure Network: 7.0, RealSecure Server Sensor: 7.0, RealSecure Desktop Protector: 3.6, BlackICE Agent for Server: 3.6, BlackICE PC Protection: 3.6.cbd, RealSecure Sentry: 3.6, RealSecure Guard: 3.6, Proventia Server IPS for Microsoft Windows technology: 1.0.914.0, BlackICE Server Protection: 3.6.cbd, Proventia Network MFS: 1.0, Proventia Network IDS: A Series, Proventia-G 1.1 and earlier: G Series, RealSecure Desktop Protector 3.6: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Desktop: 8.0.614.1, Proventia Network IPS: 2.0, RealSecure Desktop: baseline

Systems affected

Various vendors Any application, IETF HTTP/1.1

Type

Suspicious Activity

Vulnerability description

An attacker may attempt to traverse directories on vulnerable servers by using "dot dot" sequences in URLs (or, in this case, "dot dot dot" sequences), such as "/...". This could allow an attacker to view the contents of otherwise secure directories.

How to remove this vulnerability

No remedy available as of March 2002.

References

ISS X-Force
HTTP GET request contains "dot dot dot"
http://www.iss.net/security_center/static/8081.php