1188.txt

This is the snapshot of Snot Latest Rules

Rule:

--
Sid:
1188

--
Summary:
This event is generated when an attempt is made to exploit a vulnerability in some versions of Netscape Enterprise Server.

--
Impact:
Information leak which could provide an attacker with the data needed to launch further attacks or gain more detailed information about your web server.

--
Detailed Information:
A user can see a directory listing by appending a Web Publishing command to the end of a directory URL, for example: "http://www.target.com/?wp-start-ver".

This exploit will work on Netscape Enterprise Server regardless of directory indexing settings.

It will not work on iPlanet Web Server if directory indexing is set to "none" or "fancy" (the default). Web Publishing need not be enabled for this exploit to work.

--
Affected Systems:
  Netscape Enterprise Server 3.0, 3.51 and 3.6

--
Attack Scenarios:
The gathering of information such as directory listings is valuable when planning to attack a web server.

--
Ease of Attack:
Simple. No exploit software required however, an automated tool for scanning exists as does an exploit script.

--
False Positives:
A web server that uses URLs which contain web publishing commands.

--
False Negatives:
None Known.

--
Corrective Action:
Disable directory indexing. For earlier versions of Netscape Enterprise Server, this may not fix the problem. On iPlanet, you can also change the indexing type to "fancy".

To fix the potential DOS vulnerability, upgrade to at least iWS 4.1 SP8.

--
Contributors:
Snort documentation contributed by Kevin Peuhkurinen
Sourcefire Vulnerability Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

iPlanet Knowledge Base Article 4302:
http://knowledgebase.iplanet.com/ikb/kb/articles/4302.html

iPlanet Knowledge Base Article 7761:
http://knowledgebase.iplanet.com/ikb/kb/articles/7761.html

--