Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC webdav propfind access"; content:"<a\:propfind"; nocase; content:"xmlns\:a=\"DAV\">"; nocase; flags: A+; reference:cve,CVE-2000-0869; classtype:web-application-activity; sid:1079; rev:3;)
--

Sid:
1079

--

Summary:
Someone attempted the PROPFIND WebDAV request method on a web server.

--
Impact:
An attacker can get a directory listing for all directories configured
to support WebDAV in an Apache web server.  This could by a prelude to
a more serious attack.

--
Detailed Information:
WebDAV is a web publishing protocol implemented by several web servers,
including Apache.  Certain configurations of Apache, such as those in
SuSE 6.0-7.0 and RedHat 6.2-7.0, have WebDAV enabled and misconfigured
in such a way to allow directory listings of the entire server file
structure.

--
Attack Scenarios:
Attacker gets a listing by sending something like:
PROPFIND / HTTP/1.1

--
Ease of Attack:
Requires that the attacker hand-craft an HTTP request.

--
False Positives:
Legitimate web publishers may find use for PROPFIND commands.

--
False Negatives:

--
Corrective Action:
Examine the packet to determine whether this was likely an attack or not.
Try to determine whether this was from a legitimate web publisher or not.
Try to determine whether the target web server was Apache with WebDAV
enabled and misconfigured.

--
Contributors:

--
Additional References:
CVE:  CVE-2000-0869
Bugtraq:  BID 1656
