TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
654
Signature Description: Microsoft Internet Explorer is reported susceptible to a filename extension spoofing
vulnerability when utilizing the 'Save Image As' feature.Reportedly, this vulnerability is only possible when Internet
Explorer is configured with 'Hide extension for known file types' enabled. This is the default configuration.This
vulnerability may facilitate the spoofing of filename extensions, resulting in malicious content being inadvertently
downloaded to vulnerable Web users.
Signature ID: 30004
Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2006-3747 Bugtraq: 19204
Signature Description: The Apache HTTP server distribution includes a number of supplemental modules that provide
additional functionality to the web server. One of these modules, 'mod_rewrite', provides a rule-based rewriting engine
to rewrite requested URLs "on the fly" based on regular expressions. The mod_rewrite module in Apache versions
1.3.28 - 1.3.36, 2.0.46 - 2.0.58 and 2.2.0 - 2.2.2 contains an off-by-one buffer overflow vulnerability when escaping an
absolute URI scheme in the function escape_absolute_uri( ). The vulnerability occurs when separating out tokens
within an LDAP URL. The rewrite rules used by the module are stored in the configuration file, httpd.conf, or in a file
which is included in httpd.conf. If RewriteRule (RewriteEngine on) is enabled and configured to use certain rules and if
URL does not contain a Forbidden(F), Gone(G), or NoEscape(NE) flag, a remote attacker could exploit this
vulnerability to execute arbitrary code on the system or cause the server to crash. Since the vulnerability allows at most
four bytes to be written past the end of the allocated buffer, successful exploitation depends on the stack frame layout
of apache running on the target host. Upgrade to the latest version of Apache (2.2.3 or later).
Signature ID: 30005
McAfee EPolicy Orchestrator and ProtectionPilot HTTP Server Remote Buffer Overflow
Threat Level: Severe
Industry ID: CVE-2006-5156 Bugtraq: 20288
Signature Description: The HTTP server component of McAfee ePolicy Orchestrator and ProtectionPilot is prone to a
remote stack-based buffer-overflow vulnerability that can lead to complete system compromise.This issue arises
because the application fails to perform boundary checks before copying user-supplied data into sensitive process
buffers.<br>A successful attack may result in arbitrary code execution with SYSTEM privileges, leading to a full
compromise.McAfee ePolicy Orchestrator 3.5.0 patch 5 and prior versions as well as ProtectionPilot 1.1.1 patch 2 and
prior versions are vulnerable to this issue.
Signature ID: 30010
IMAPD Command Continuation Request Buffer Overflow Vulnerability
Threat Level: Severe
Industry ID: CVE-2005-1758 Bugtraq: 14718,21252
Signature Description: This event may indicate an attempt to exploit a buffer overflow vulnerability in a vulnerable
IMAP server when LOGIN command is issued with Command Continuation Request. IMAP protocol specifies a
method called command continuation to allow string exchanges between server and client that contain the end of line
characters as well as space characters without the limitations imposed by the normal parameter passing methods. Prior
to authentication, the only command that accepts parameters in the form of command continuation is the LOGIN
command. The LOGIN commands accepts two parameters, username and password. Applications like Novell NetMail
and MailEnable IMAP servers are vulnerable to a buffer overflow due to improper boundary checks when handling
parameters when the command continuation method is used. Users are advised to upgrade to newer versions.