Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI wwwboard passwd access"; flags: A+; uricontent: "/wwwboard/passwd.txt"; nocase;reference:arachnids,463; classtype:attempted-recon; sid:807; rev:1;)
--

Sid:
807

--

Summary:
The client attempted to download the wwwboard password file

--
Impact:
An attacker could crack the encrypted password and gain access to the wwwboard
administrator account

--
Detailed Information:
Releases of WWWBoard (Matt Wright's CGI webboard application) before
version 2.0 Alpha 2.1 by default place the encrypted password for the
web application's administrator in a file called "passwd.txt" accessible
from the web root.

--
Attack Scenarios:
Attacker downloads the passwd.txt file and then launches a password
cracker to brute force the password (the password is encypted via
crypt(3), and password crackers for this format are ubiquitous).  If
the password is successfully cracked (due to weak passwords or
significant cracking resources), the attacker will have administrative
access to the wwwboard web application.

--
Ease of Attack:
Requires that the attacker be familiar with the operation of password
crackers, which are commonly available.

--
False Positives:

--
False Negatives:

--
Corrective Action:
Inspect packet to insure that it was an attempt to download the
password file and not just a webpage discussing WWWBoard.
Insure that local installations of WWWBoard are current and properly
configured to not save the password file into a publically-accessible
area.

--
Contributors:

--
Additional References:
CVE:  CVE-1999-0953
Bugtraq:  BID 649
Arachnids:  463
