TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
669
Signature Description: The Oracle HTTP server (OHS) is a web server that listens to remote user HTTP requests, and
interacts with a back end Oracle database. By default this HTTP server is installed with Oracle Application Server.
Oracle9iAS Application Server versions 1.0.2 to 10.x could allow a remote attacker to access restricted URLs caused
by a vulnerability when using the Web Cache. Normally user connections are restricted by mod_access module. This
can be bypassed when the user connects to WebCache that listens on TCP port 7778. A remote attacker could exploit
this vulnerability by using the Web Cache to access restricted URLs on the system. Oracle fixed this issue by
introducing the parameter "UseWebcacheIP" to the Oracle HTTP Server(OHS). Set this option to ON in httpd.conf.
This signature detects when an attacker send
/dmsoc4j/AggreSpy?format=metrictable&nountype=ohs_child&orderby=Name on tcp port 7778.
Signature ID: 30073
Oracle HTTP Server mod_access Security Restriction Bypass Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-1383 Bugtraq: 13418
Signature Description: The Oracle HTTP server (OHS) is a web server that listens to remote user HTTP requests, and
interacts with a back end Oracle database. By default this HTTP server is installed with Oracle Application Server.
Oracle9iAS Application Server versions 1.0.2 to 10.x could allow a remote attacker to access restricted URLs caused
by a vulnerability when using the Web Cache. Normally user connections are restricted by mod_access module. This
can be bypassed when the user connects to WebCache that listens on TCP port 7778. A remote attacker could exploit
this vulnerability by using the Web Cache to access restricted URLs on the system. Oracle fixed this issue by
introducing the parameter "UseWebcacheIP" to the Oracle HTTP Server(OHS). Set this option to ON in httpd.conf.
This signature detects when an attacker try to send server-status or dms0 pattern on tcp port 7778.
Signature ID: 30074
Oracle Application Server 9i Webcache Arbitrary File Corruption Vulnerability
Threat Level: Warning
Industry ID: CVE-2005-1382 Bugtraq: 13420
Signature Description: The Oracle Web Cache is useful for caching static and dynamic content generated from Oracle
Application web servers thus reducing the bandwidth usage, server load. The Oracle9i Application Server Web Cache
is vulnerable to a file modification vulnerability. The vulnerability specifically exists in webcacheadmin module where
the input file value is not properly validated. Oracle Web Cache server listens to administration messages sent via
HTTP requests on port 4000/TCP by default. Oracle Web Cache administrators log cache pages in a file. The file
location is specified by the administrator via a parameter in an HTTP request with the URI. If the destination file does
not exist in the Web Cache server, it is created. Otherwise, the cached content is appended to it. A remote attacker can
specify an existing file such as httpd.conf to corrupt the file because the cache page information is appended to the file.
Oracle has issued a fix for this vulnerability.
Signature ID: 30075
%u Full width / Half width Encoding found in HTTP GET Request
Threat Level: Warning
Signature Description: This rule triggers when a HTTP GET request is made which contains %u full width / half width
encoded data. %u encoding is a non-standard method of encoding but several applications support this encoding
method. Attackers usually use this mechanism to bypass IDS/IPS.
Signature ID: 30076
Symantec Client Firewall DNS Response CNAME Buffer Overflow Vulnerability
Threat Level: Warning
Industry ID: CVE-2004-0444 Bugtraq: 10334
Signature Description: Norton Personal Firewall, Norton AntiSpam, Norton Internet Security, and Symantec Client
Firewall are the security products developed by Symantec. SYMDNS.SYS is the component used by all these products