Symantec™ Security Gateways Reference Guide - Sawmill

352 IDS eventsIntrusion attemptsWARFtpd Literal ExploitBase Event:Details:Response:Affected:FTP_WARFTPD_MACROSWarFTPd ships with various macros to assist in setting up complex FTP sites.It is possible to remotely call these macros, some of which are used to compromise the server. Someof these macros provide server and operating system information. They can also be used to revealthe file contents in error messages, including the configuration files for WarFTP, which can alsoinclude plaintext administrator passwords.The extent of the vulnerability differs between versions of WarFTPd:Version 1.67b2, and prior:Authenticated users can gain access to the restricted files.Version 1.70:Remote attackers can gain access to any file on the system, as well as run any system commandwith administrative privileges, if an ODBC driver is installed. This is done without being logged onto the FTP server.Patches have been provided for both v1.70 and v1.67b2 or older, available at:http://war.jgaa.com/alert/and:ftp://ftp.no.jgaa.com/Jgaa WarFTPd 1.67b2 and priorJgaa WarFTPd 1.70bFalse Positives: None known.References: Security Focus BID: 919CVE-2000-0044Jgaa Support SiteSECURITY ALERT - WARFTP DAEMON ALL VERSIONSWarFTP HomepageWebcom Guestbook AccessBase Event:Details:Response:HTTP_URL_SIG12An attempt to access the webcom guestbook CGI file was detected. There is a known vulnerabilityin this freeware guestbook CGI. Exploits make requests to either rguest.exe or wguest.exe on theWeb server to gain access to files the Web server can access.Location and audit of client and server is recommended. If you intend to use these CGIs you shouldcontact the vendor for any applicable updates.Affected: WebCom datakommunikation Guestbook 0.1.False Positives: None known.References:CVE-1999-0467Bugtraq #2024HTTP Specifications