TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
13
site files on the server. Frontpage Extensions extensions in Microsoft InterDev 1.0 and Microsoft FrontPage 98 Server
Extensions for IIS allows a remote attacker to read files on the server by using a nonstandard URL. To be specific, Two
dlls (dvwssr.dll and mtd2lv.dll) include an obfuscation string that manipulates the name of requested files. Knowing
this string and the obfuscation algorithm allows anyone with web authoring privileges on the target host to download
any .asp or .asa source on the system (including files outside the web root, through usage of the '../' string). This
includes users with web authoring rights to only one of several virtual hosts on a system, allowing one company to
potentially gain access to the source of another company's website if hosted on the same physical machine. Remote
attackers can view the contents of the authors.pwd configuration file by sending a HyperText Transfer Protocol (HTTP)
request. The attacker can then crack the passwords stored in this file, and use the passwords to gain unauthorized access
to the affected server.
Signature ID: 78
Access to Microsoft Frontpage dvwssr.dll vulnerability
Threat Level: Warning
Industry ID: CVE-2000-0260
Bugtraq: 1108,1109 Nessus: 10369
Signature Description: FrontPage extensions provide the user with the ability to remotely create and manipulate web
site files on the server. Microsoft InterDev 1.0, Microsoft FrontPage 98 Server Extensions for IIS ship with a dvwssr.dll
file that is vulnerable to a buffer overflow that allows anyone to execute arbitrary commands on the server or cause a
Denial of service in case of unsuccessful attack attempts. This file is found in /_vti_bin/_vti_aut/ path.
Signature ID: 79
Shtml.exe reveals full path vulnerability
Threat Level: Warning
Industry ID: CVE-2000-0413 CVE-2002-0072 Bugtraq: 1174,4479 Nessus: 10405,10937
Signature Description: FrontPage extensions provide the user with the ability to remotely create and manipulate web
site files on the server. The shtml.exe program in the FrontPage extensions package of IIS 4.0, 5.0, Frontpage Server
Extensions 1.1 and prior ship with a vulnerable shtml.exe or shtml.dll (depending on platform) that discloses the full
path to the remote web root when it is given a non-existent file as an argument.For example, performing a request for
http://target/_vti_bin/shtml.dll/non_existant_file.html will produce an error message stating "Cannot open
"C:\localpath\non_existant_file.html": no such file or folder". Such information can help an attacker in subsequent
attacks.
Signature ID: 80
Access to vulnerable aglimpse cgi
Threat Level: Severe
Industry ID: CVE-1999-0147 Bugtraq: 2026 Nessus: 10095
Signature Description: Vulnerabilities exist in the GlimpseHTTP and WebGlimpse packages. Both of these packages
provide a web interface which allows users to use Glimpse, an indexing and query system, to provide a search facility
for your web site. The cgi-bin programs in these packages perform insufficient argument checking. Due to this,
intruders may be able to execute arbitrary commands with the privileges of the httpd process. GlimpseHTTP 2.0 is
known to be vulnerable in this fashion. The authors of GlimpseHTTP and WebGlimpse also believe earlier versions of
both GlimpseHTTP (prior to 2.0) and WebGlimpse (prior to 1.5) may be vulnerable to similar attacks. There are reports
of attacks using the aglimpse cgi-bin program (part of GlimpseHTTP).
Signature ID: 82
Access to vulnerable guestbook.pl (.cgi) script
Threat Level: Warning
Industry ID: CVE-1999-0237 CVE-2002-0730 CVE-1999-1053 Bugtraq: 776,4566 Nessus: 10099,10098
Signature Description: A guestbook script allows visitors to sign and leave greetings on the website. Two different
guestbook CGIs - Matt Wright GuestBook 2.3 and Philip Chinery's Guestbook 1.1 are exploitable on Apache server.