This type of attack is aimed at acquiring system specific information about a web site including software distribution, version numbers, and patch levels. The acquired information might also contain the location of backup files or temporary files.
Most web sites will disclose some amount of information. The more information that an attacker learns about a web site, the easier the system will be to compromise.
| Attack type | Attack description |
|---|---|
| Directory Indexing | Exploits a function in a web server that lists
all the files within a requested directory if the normal base file
is not present. Reference: See Directory indexing attacks for more information about this type of attack.
|
| Information Leakage | Exploits a web site that reveals sensitive data, such as developer comments or error messages. |
| Path Traversal | Forces access to files, directories, and commands
that are located outside the web document root directory. Reference: See Path traversal attacks for
more information about this type of attack.
|
| Predictable Resource Location | Uncovers hidden web site content and functions. |
| Signature name | Description | More information |
|---|---|---|
| HTTP_Apache_ServerInfo | Searches for an HTTP request with the Apache server-info handler specified. | IBM® X-Force®: Apache HTTP Server server-info request has been detected |
| HTTP_Apache_ServerStatus | Searches for an HTTP request with the Apache server-status handler specified. | IBM X-Force: Apache HTTP Server server-status request has been detected |
| HTTP_Apache_Trailing_Slash | Detects attempts to view the source of PHP pages by exploiting a vulnerability that exists when the PHP site is hosted on a Windows samba file share and the requested page name is appended with a \ to the .php file extension in the URL. | IBM X-Force: Apache HTTP Server Windows SMB shares information disclosure |
| HTTP_Bash_Shell_History | Detects HTTP URLs that contain */.bash_history or */.history.
This signature replaces HTTP_ShellHistory. |
IBM X-Force: Cobalt RaQ Web server could reveal user's command history |
| HTTP_ColdFusion_Debug | Detects an HTTP URL that contains the string *.cfm and that also has a parameter/value pair of mode=debug in the query string. | IBM X-Force: ColdFusion Debugging mode could allow the path to ".cfm" files to be revealed |
| HTTP_FileTypeLnk | Detects an attempt to access a .lnk file
(/*/*.lnk). Under some circumstances,
an attacker might use such a file to gain access to privileged information
on the client system. This signature replaces HTTP_IE3_URL. |
IBM X-Force: Microsoft Internet Explorer 3.0 allows remote command execution |
| HTTP_FileTypeUrl | Detects an attempt to access a .url file
(/*/*.url). Under some circumstances,
an attacker might use such a file to gain access to privileged information
on the client system. This signature replaces HTTP_IE3_URL. |
IBM X-Force: Microsoft Internet Explorer 3.0 allows remote command execution |
| HTTP_FrontPage_Authors | Detects a request for the author's password. | IBM X-Force: Microsoft FrontPage Extensions authors.pwd file could reveal encrypted passwords |
| HTTP_FrontPage_PWD | Detects a request for the Administrator's password. | IBM X-Force: Microsoft FrontPage Extensions administrators.pwd file could reveal encrypted passwords |
| HTTP_IIS_Obtain_Code | Detects HTTP GET requests that include the string +.htr, which might indicate an attempt by an attacker to view the source of files on the web server. | IBM X-Force: Microsoft IIS allows remote attackers to obtain source code fragments using +.htr |
| HTTP_IIS_Track | Searches for an HTTP request that sets track. This leads to returning sensitive information from the server. IIS does not properly log this request. | IBM X-Force: Microsoft Internet Information Server (IIS) fails to properly log HTTP TRACK requests |
| HTTP_IIS_Trailing_Incomplete_Unicode | Detects specially-crafted URLs that contain
a trailing %81 through %fe. Such URLs might indicate an attacker's
attempt to cause a server to return an original file, rather than
executing the file, which might reveal critical information about
the server to the attacker. Server source code often contains hidden passwords, hidden file names, or easy-to-discover bugs. The attacker can then use this hidden information to break into the server. |
IBM X-Force: Microsoft IIS using double-byte code pages could allow remote attackers to retrieve source code |
| HTTP_JSP_SourceRead | Detects a URL ending with the file name extension .jsp or .jhtml where any of the letters in the extension are not lowercase. | IBM X-Force: BEA WebLogic allows users to read source of JSP files |
| HTTP_Microsoft_Error_Report | Detects the reporting of a Windows application error, such as a crashed or stopped process. | IBM X-Force: Microsoft Windows error report transmission detected |
| HTTP_Netscape_List_Directories | Detects the use of an HTTP INDEX request that
Netscape Enterprise web servers support. An attacker can use this
request to gain access to sensitive information. Known false positives: A false positive is
possible for legitimate HTTP INDEX requests. Though there are legitimate
reasons for HTTP INDEX requests, such a request can be used by an
attacker to gain access to sensitive information about Netscape Enterprise
web servers.
|
IBM X-Force: Netscape Enterprise Server allows remote directory listing |
| HTTP_Netware_DirList | Detects an HTTP command consisting of get (lowercase) and a URL of /. | IBM X-Force: Novell NetWare GET allows directory listing |
| HTTP_Orion_JSP_SourceRead | Detects a URL ending with the file name extension .jsp (.jsp followed by a space). | IBM X-Force: Orion Application Server JSP source code disclosure |
| HTTP_Passwd_Txt | Detects HTTP GET requests for the passwd.txt file. | IBM X-Force: WWWBoard's administrator password file is remotely accessible |
| HTTP_PHP_Addslashes_ViewFiles | Detects a specially-crafted URL that might be used to view arbitrary files on the system. | IBM X-Force: PHP addslashes view files |
| HTTP_PHPNuke_Admin_Overwrite | Detects an HTTP URL that contains the string */admin.php, and also uses a query string that starts with upload. | IBM X-Force: PHP-Nuke admin.php could allow remote attackers to upload and overwrite files |
| HTTP_POST_Filename_passwd | Detects an HTTP POST command that references a file name that includes the string */passwd or the string */shadow. | IBM X-Force: passwd file accessed |
| HTTP_POST_Filename_sam | Detects an HTTP POST command that references a file name that includes the string */sam._. | IBM X-Force: Access attempt made to Windows NT SAM (Security Accounts Manager) file or its backup |
| HTTP_PsaPhp_RevealSource | Detects HTTP URLs that have a path that begins
with /~ and that references a file name
that contains the string *.php. Known false positives: HTTP requests for URLs
detected by this signature are only a risk if the Plesk Server Administrator
(PSA) program for Unix and Linux web
servers is installed.
|
IBM X-Force: Plesk Server Administrator (PSA) reveals PHP source code |
| HTTP_Server_ID | Detects server ID requests and lists any information
disclosed as a result of this command. Note: This security event
is categorized as an audit event. It does not necessarily indicate
an attack or threat on your network.
|
IBM X-Force: HTTP server identity audit |
| HTTP_Tunnel_Not_TLS_or_SSL | Detects an HTTP CONNECT request where the tunnelled
data does not immediately begin with a SSL or TLS hello exchange. While this signature does not indicate an attack on your network, it does indicate traffic that might be considered suspicious in an environment where HTTP tunnelling is expected only by HTTP proxies to secure web sites. Known false negatives: Unnaturally
fragmented data streams might generate a false negative indication
of this condition.
|
IBM X-Force: HTTP unencrypted CONNECT security bypass |
| HTTP_Unix_Passwords | Detects an HTTP GET request for a passwd or shadow password file. | IBM X-Force: passwd file accessed |
| HTTPS_Proxy_Info_Disclosure | Detects Basic Authentication over a proxy server for HTTPS communications that might lead to possible information disclosure. | IBM X-Force: Microsoft Internet Explorer HTTPS proxy authentication information disclosure |
| Tivoli_LCF_File_Read | Detects an HTTP GET request to manipulate the Tivoli® LCF log file parameter, possibly to read files with elevated privileges. | IBM X-Force: IBM Tivoli LCF httpd can be used to remotely access files as root |