Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1527 |
| Message | WEB-MISC basilix mysql.class access |
| Summary | This event is generated when an attempt is made to exploit a known vulnerability in the Basilix webmail PHP script. An attacker can access mysql.class file to obtain MySQL login and use it for further attacks. |
| Impact | Serious. Password disclosure which can lead to further system compromise. authenticate directly to a mysql database. Many Sun Cobalt Linux servers use Basilix webmail |
| Detailed Information | A webserver usually sends files in the webroot to an anonymous user without further processing. PHP scripts often include files (which contain configuration variables, functions, etc.) that are stored using a suffix that does not prevent a webserver sending them in clear text. The ".class" suffix is not usually explicitly denied in a standard web server configuration and the file "mysql.class" may be sent to the attacker. |
| Affected Systems | |
| Attack Scenarios | An attacker gets mysql.class containing database login credentials. The attacker can then connect to the database server using the login provided by mysql.class file and modify the database. |
| Ease of Attack | Simple |
| Corrective Action | Update Basilix script (www.basilix.org) Check files which contain php code for a suffix that might be rendered in plaintext by the web server. Workaround - register .class the same way that the extensions .php, .php3 or.php4 are registered in the web server configuration file. Note: .class is usually used by java applets |
| Additional References | |
| Rule References | bugtraq: 2198 cve: 2001-1044 nessus: 10601 |
--
DID:459620
--
http://www.aanval.com/