2060.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
2060

--
Summary:
This event is generated when an attempt is made to exploit a known 
vulnerability in DB4Web.

--
Impact:
Information disclosure

--
Detailed Information:
DB4Web is an application server used to access various sources of data 
via a web interface.

DB4Web does not handle the characters ":" and "\" correctly when they 
are URL encoded. An attacker can use this flaw to gain access to 
sensitive system information.

Also the application does not correctly handle the use of extra "/" in a
URI.

It is also possible for the attacker to open arbitrary TCP connections 
using DB4Web and may be able to use it for portscanning other hosts.

--
Affected Systems:

--
Attack Scenarios:
The attacker merely needs to make a normal HTTP request with the 
characters ":" or "\" encoded (%3A%5C) followed by the commands the 
attacker wishes to run.

The attacker can also make a request like 
http://www.foo.com/cgi-bin/db4web_c/dbdirname//etc/passwd to view the 
contents of the password file.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Disable access to DB4Web from external sources.

Apply the appropriate vendor patches.

Run the webserver in a chroot environment to mitigate the risks of 
disclosure.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

DB4Web
http://www.db4web.de/DB4Web/home/DB4Web/hotfix_e.html

--