Snort Lets Remote Users Bypass 'uricontent' Rules
|
|
SecurityTracker Alert ID: 1016191
|
|
SecurityTracker URL: http://securitytracker.com/id?1016191
|
|
CVE Reference: CVE-2006-2769
(Links to External Site)
|
|
OSVDB Reference: 25837
(Links to External Site)
|
Updated: Jun 6 2006
|
Original Entry Date: May 31 2006
|
Impact: Host/resource access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.4.4 and prior versions
|
Description: A vulnerability was reported in Snort. A remote user can bypass 'uricontent' rules to evade detection.
A remote user can send a specially crafted URL that is appended with a carriage return (directly before the HTTP protocol declaration)
to bypass detection of "uricontent" rules.
Thousands of rules in the standard Snort base rule sets are affected.
This vulnerability
is being actively exploited.
Blake Hartstein of the Demarc Threat Research Team discovered this vulnerability.
The original
advisory is available at:
http://www.demarc.com/support/downloads/patch_20060531
|
Impact: A remote user can bypass 'uricontent' rules to evade detection.
|
Solution: The vendor has issued fixed versions (2.4.5 and 2.6.0).
|
Vendor URL: www.snort.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 31 May 2006 16:21:22 -0400
Subject: Snort Bypass Vulnerability
|
http://www.demarc.com/support/downloads/patch_20060531
|
|
