884.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
884

--
Summary:
This event is generated when an attempt is made to exploit a known 
vulnerability in the CGI web application Formmail running on a server.

--
Impact:
Several vulnerabilities include server access, information
disclosure, spam relaying and mail anonymizing.

--
Detailed Information:
This event is generated when an attempt is made to access the perl cgi
script Formmail. Early versions (1.6 and prior) had several vulnerabilities 
(Spam engine, ability to run commands under server id and set 
environment variables) and should be upgraded immediately. Newer 
versions can still be used by spammers for anonymizing email and
defeating email relay controls.

--
Affected Systems:
	All systems running Formmail

--
Attack Scenarios:
Information can be appended to the URL to use your
mail gateway avoiding SMTP relay controls. HTTP header information can
be manipulated to avoid access control methods in script. Allows SMTP
exploits that are normally available only to trusted (local) users such
as Sendmail % hack.

--
Ease of Attack:
Simple. Exploits exist.

--
False Positives:
Legitimate use of the script can cause alerts. Verify
packet payload and watch web/mailserver logfiles.

--
False Negatives:
If the name of the script has been changed this rule will not generate
an event.

--
Corrective Action:
Ensure the system is using an up to date version of the software and has
had all vendor supplied patches applied.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Snort documentation contributed by Kevin Binsfield (IDS@Safedge.com)

--
Additional References:

--