807.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:  

Sid:
807

--

Summary:
This event is generated when an attempt is made to download the wwwboard password file

--
Impact:
Information disclosure.
An attacker could crack the encrypted password and gain access to the wwwboard
administrator account

--
Detailed Information:
Releases of WWWBoard (Matt Wright's CGI webboard application) before
version 2.0 Alpha 2.1 place the encrypted password for the web 
application's administrator in a file called "passwd.txt" accessible
from the web root.

--
Affected Systems:
 
--
Attack Scenarios:
Attacker downloads the passwd.txt file and then launches a password
cracker to brute force the password (the password is encypted via
crypt(3), and password crackers for this format are ubiquitous).  If
the password is successfully cracked (due to weak passwords or
significant cracking resources), the attacker will have administrative
access to the wwwboard web application.

--
Ease of Attack:
Simple. Exploit software is not required.

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Inspect packet to insure that it was an attempt to download the
password file and not just a webpage discussing WWWBoard.
Insure that local installations of WWWBoard are current and properly
configured to not save the password file into a publically-accessible
area.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:
CVE:  CVE-1999-0953
Bugtraq:  BID 649
Arachnids:  463

--