Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wayboard attempt"; uricontent:"/way-board/way-board.cgi"; content:"db="; content:"../.."; nocase; flags:A+; reference:bugtraq,2370; reference:cve,CAN-2001-0214; classtype:web-application-attack; sid:1397; rev:1;)
--

Sid:
1397

--

Summary:
Someone may have attempted to exploit a vulnerable in the CGI program
way-board.cgi to read arbitrary files.

--
Impact:
An attacker could have viewed sensitive documents and system files.  This
could be a precursor to a future attack.

--
Detailed Information:
Way-board is a Korean webboard web application.  It contains a vulnerability
that can allow an attacker to view the contents of any file on the system
accessible to the web user.

--
Attack Scenarios:
Attacker sends a simple URL like the following:
http://www.victim.com/way-board/way-board.cgi?db=url_to_any_file%00

--
Ease of Attack:
Very simple handcrafted URL.

--
False Positives:

--
False Negatives:

--
Corrective Action:
Examine the packet to see if a web request against way-board.cgi was
being done.  Try to
determine what the requested file was, and determine
from the web server's configuration whether it was a threat or not
(i.e., whether the webserver had way-board.cgi on it).

--
Contributors:

--
Additional References:
Bugtraq:  BID 2370
CVE:  CAN-2001-0214
