HighProventia Network IPS, RealSecure Desktop Protector 3.6, Proventia Server IPS for Linux technology, Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Desktop, Proventia Network IDS, Proventia-G 1.1 and earlier, BlackICE Agent for Server, BlackICE Server Protection, BlackICE PC Protection, RealSecure Network, RealSecure Server Sensor, Virtual Server Protection for Vmware:
This signature triggers when a URL ends with a slash and the GET request includes a "Translate: f" header.
High
Proventia Network IPS: 2.0, RealSecure Desktop Protector 3.6: baseline, RealSecure Desktop: baseline, Proventia Server IPS for Linux technology: 1.0, Proventia Network MFS: 1.0, IBM Security Server Protection for Windows: 1.0.914.0, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Desktop: 8.0.614.1, Proventia Network IDS: XPU 20.14, Proventia-G 1.1 and earlier: G Series, BlackICE Agent for Server: 3.6eof, BlackICE Server Protection: 3.6.cpa, BlackICE PC Protection: 3.6cpa, RealSecure Network: XPU 20.14, RealSecure Server Sensor: XPU 20.16, Virtual Server Protection for Vmware: 1.0
Microsoft Internet Information Server: 5.0
Suspicious Activity
Microsoft Internet Information Server (IIS), which ships with Windows 2000, could reveal the source code of server-side scripts, such as Active Server Pages (.ASP files). A remote attacker can send a file request that contains a specialized header (Translate: ), and one of several particular characters at the end, to cause the Web server to send the source code of the file to the attacker.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS00-058. See References.
— OR —Apply the latest Windows 2000 Service Pack (SP1 or later), available from the Microsoft Windows 2000 Downloads Web site. See References.
Microsoft Security Bulletin MS00-058
Patch Available for 'Specialized Header' Vulnerability
http://www.microsoft.com/technet/security/bulletin/ms00-058.mspx
Microsoft Corporation Web site
Windows 2000 Downloads
http://www.microsoft.com/windows2000/downloads/
Microsoft Knowledge Base Article 256888
Internet Information Service may Return Source of Active Server Pages File
http://support.microsoft.com/default.aspx?scid=kb;[LN];256888
CIAC Information Bulletin K-068
Automated Web Interface Scans IIS for Multiple Vulnerabilities
http://www.ciac.org/ciac/bulletins/k-068.shtml
CIAC Information Bulletin K-065
Microsoft "Specialized Header" Vulnerability
http://www.ciac.org/ciac/bulletins/k-065.shtml
ISS X-Force
Internet Information Server 5.0 discloses script source
http://www.iss.net/security_center/static/5095.php
CVE
CVE-2000-0778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0778