Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
GEN:SID | 1:1070 |
Message | WEB-MISC WebDAV search access |
Summary | This event is generated when an attempt is made to initiate a WebDAV SEARCH on a web server. |
Impact | Information gathering. Potential Denial of Service (DoS). |
Detailed Information | IIS 5.0 includes an implementation of WebDAV for purposes of web publishing. As shipped, it contains two vulnerabilities that can allow an attacker to get a complete directory listing from the web root and to DoS the web server. If the target is IIS 5.0, then an attacker may have gotten a complete directory listing from within the web root, which can be useful information for attackers (could be a prelude to a more serious attack). IIS 5.0's WebDAV implementation is also vulnerable to a Denial of Service vulnerability if the search string is too long. |
Affected Systems | IIS 5.0 Any web server running WebDAV, though no exploits are known for servers other than IIS 5.0. |
Attack Scenarios | Attacker gets a listing by sending something like: SEARCH / HTTP/1.1 Attacker DoSes the web server using pre-existing tools. |
Ease of Attack | Simple. |
Corrective Action | Check the host for signs of compromise. Upgrade to the latest non-affected version of the software. Apply the appropriate vendor supplied patches. Disallow WebDAV access to the server from resources external to the protected network. |
Additional References | CVE: CVE-2000-0951 Bugtraq: BID 1756 Bugtraq: BID 2483 |
Rule References | arachnids: 474 bugtraq: 1756 cve: 2000-0951 |
--
DID:196959
--
http://www.aanval.com/