Rule:

--
Sid:
806

--
Summary:
This event is generated when an attempt is made to access a file outside the root directory of a webserver running YaBB.cgi.

--
Impact:
Information disclosure.

--
Detailed Information:
YaBB.cgi is widely used web-based BBS script. Due to input validation problems in YaBB, a remote attacker can traverse the directory structure and view any files and view any file that a webserver has access to.

This event indicates that a remote attacker has attempted to view a file outside the webservers root directory.

--
Affected Systems:
YaBB YaBB 9.1.2000

--
Attack Scenarios:
An attacker issues the following command on port 80 of the webserver:

GET http://target/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00 HTTP/1.0

--
Ease of Attack:
Simple. No exploit software required.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Update to the latest non-affected version of the software.

--
Contributors:
Original Rule Writer Unknown
Snort documentation contributed by Nawapong Nakjang (tony@ksc.net, tonie@thai.com)
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:


--
