TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
196
(/../) sequences in the URL, a remote attacker can traverse directories on the Web server to view any file that is
accessible to the web_store.cgi script.
Signature ID: 1383
HTTP HEAD Request with Large Message-Body vulnerability
Threat Level: Warning
Industry ID: CVE-2008-1854
CVE-2008-1777 CVE-2006-5850 CVE-2003-0409
Signature Description: The HTTP HEAD method is identical to GET except that the server MUST NOT return a
message-body in the response. The meta information contained in the HTTP headers in response to a HEAD request is
identical to the information sent in response to a GET request (RFC 2616). This method can be used for obtaining meta
information about the entity implied by the request without transferring the entity-body itself. This method is often used
for testing hypertext links for validity, accessibility, and recent modification. Normally, the request with HEAD
contains no body and its present in the packet is anomalous. Many tools, like Whisker, use this method to send
anomalous data to server. BRS WebWeaver 1.04, Essentia Web Server 2.15, Novell eDirectory 8.8.2and SmarterMail
5.0.2999 are vulnerable to denial of servivce or stack-based buffer overflow.
Signature ID: 1384
MiniShare HTTP HEAD Request Denial of Service Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-2035 Bugtraq: 10417
Signature Description: MiniShare is a free web server software for Microsoft Windows. MiniShare is a quick and easy
way to share files dependless. The files we share are located on our computer and can be accessed by anyone using
their web browser. MiniShare, MiniShare 1.3.2 is vulnerable to denial of service. According to HTTP RFC (2616), any
HTTP request should follow a fixed format i.e. METHOD <space> path(URI) <space> HTTP?1.x. A remote attacker
could send a specially-crafted HTTP HEAD request with less than two new line characters to the MiniShare server,
after received this type of request from any client it is not handle properly, then crash the server. This rule detect one of
such attempts when it sees a request like HEAD/./. Such type of traffic is also sent by tools, like Whisker. The
administrator should check the server's logs for more information.
Signature ID: 1386
HTTP Request with TAB and Splicing
Threat Level: Warning
Signature Description: According to HTTP rfc, a HTTP v1.0 request looks like "Method <space> URI <space> HTTP/
Version CRLF CRLF" But many implementation of HTTP accept TAB as delimiter. Thus the following request is also
a valid one:Method <tab> URI <tab> HTTP/ Version CRLF CRLF" If an IDS/IPS does not accept a TAB, it may miss
the pattern, due to wrong parsing. Many IDS evasion tools, like whisker, try to take advantage of this fact and send
malformed URI. This rule hits when system detects a HTTP request with <tab> as separator and URI being spliced in
small chunks.
Signature ID: 1387
WS_FTP Weak Stored Password Encryption Vulnerability
Threat Level: Warning
Industry ID: CVE-1999-1078
Bugtraq: 547
Signature Description: Ipswitch WS_FTP Server is a highly secure, fully featured and easy-to-administer file transfer
server for Microsoft Windows systems. It is used by administrators globally to support millions of end users and enable
the transfer of billions of files. Users can connect to host, list folders and files, and (depending on permissions)
download and upload data. Administrators can control access to data and files with granular permissions by folder,
user, and group. Administrators can also create multiple hosts that function as completely distinct sites. Ipswitch
WS_FTP Pro 6.0, Ipswitch WS_FTP LE 5.0, Ipswitch WS_FTP LE 4.5 are vulnerable versions. WS_FTP, both Pro and