Rule:  
--

Sid:
1079

--

Summary:
Someone attempted the PROPFIND WebDAV request method on a web server.

--
Impact:
An attacker can get a directory listing for all directories configured
to support WebDAV in an Apache web server.  This could by a prelude to
a more serious attack.

--
Detailed Information:
WebDAV is a web publishing protocol implemented by several web servers,
including Apache.  Certain configurations of Apache, such as those in
SuSE 6.0-7.0 and RedHat 6.2-7.0, have WebDAV enabled and misconfigured
in such a way to allow directory listings of the entire server file
structure.

--
Affected Systems:
 
--
Attack Scenarios:
Attacker gets a listing by sending something like:
PROPFIND / HTTP/1.1

--
Ease of Attack:
Requires that the attacker hand-craft an HTTP request.

--
False Positives:
None Known
Legitimate web publishers may find use for PROPFIND commands.

--
False Negatives:
None Known

--
Corrective Action:
Examine the packet to determine whether this was likely an attack or not.
Try to determine whether this was from a legitimate web publisher or not.
Try to determine whether the target web server was Apache with WebDAV
enabled and misconfigured.

--
Contributors:
Original rule writer unknown
Original document author unkown
Sourcefire Vulnerability Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:
CVE:  CVE-2000-0869
Bugtraq:  BID 1656
