TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
59
on the system with the privileges of the user owning the server process. An attacker can use this information to make
more focused attacks.
Signature ID: 342
Wwwboard.pl CGI arbitrary post modification vulnerability
Threat Level: Warning
Industry ID: CVE-1999-0930 Bugtraq: 1795
Signature Description: The Common Gateway Interface (CGI) is a standard protocol for interfacing external
application software with an information server, commonly a web server. The WWWBoard package is a popular web
based discussion board by Matt Wright. Matt Wright WWWBoard 2.0 Alpha 2 allows a remote attacker to delete or
overwrite message board articles via a malformed argument. This is accomplished by submitting a POST request of
hidden type with attribute 'name' having value as 'followup' and attribute 'value' having value corresponding to a
previously existing message.
Signature ID: 343
Long HTTP Request Line Detction
Threat Level: Information
Industry ID: CVE-1999-0931 CVE-2001-0282 CVE-2000-0398 CVE-2000-0626 Bugtraq: 734,1244,1482 Nessus:
10958,10637,10012,10421
Signature Description: This rule is triggered when an URL of length more than the configured value is detected . Most
of the time, under normal conditions, URL of such a big length is not sent. The presence of such a lengthy URL is
suspicious (unless the server is accepting GET request with lot many parameters for a particular script). It is possible to
do a buffer overflow attack in the remote http server when it is given a very long http request line. An attacker may use
it to execute arbitrary code on the host. The administrator is advised to check the target web server logs to analyze the
session associated with this log.
Signature ID: 344
HTTP large request header Size detection
Threat Level: Information
Industry ID: CVE-2001-0282 CVE-2000-0398 CVE-2004-0594 CVE-2000-0626 Bugtraq: 10725,1244,1482 Nessus:
10637,10012,10421
Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol, with its version 1.1
defined in RFC 2616. HTTP header fields, which include general-header, request-header, response-header, and entity-
header fields, follow the same generic format as that given in RFC 822. Each header field consists of a name followed
by a colon (":) and the field value. Though no limit is specified in any RFC as such, depending upon a server, it may be
assuming some limit for each field and any attempt to put more data than expected, may result in buffer overflow.
There may be server implementations which allocate limited buffer for overall header size. In such case, overflow may
occur in either of the two conditions - a)large data is supplied in a single field; or b) all (or most) fields are given
sufficiently large data so that overall header size goes up. This rule tries to capture any such attempt. An attacker may
use this vulnerability to execute arbitrary code on the host. This rule is triggered when request header size exceeds
configured value in the IIPS Manager. The administrator is advised to check the HTTP server logs for any misuse.
Signature ID: 345
HTTP Long Header Line Size detection
Threat Level: Critical
Industry ID: CVE-1999-0751
CVE-1999-0867 CVE-2004-0594 CVE-2005-1935 Bugtraq: 10725,579,631 Nessus:
10515,10154,10119
Signature Description: The Hypertext Transfer Protocol (HTTP) is an application-level protocol, with its version 1.1
defined in RFC 2616. HTTP header fields, which include general-header, request-header, response-header, and entity-
header fields, follow the same generic format as that given in RFC 822. Each header field consists of a name followed