Rule: -- Sid: 2000 -- Summary: This event is generated when a remote user attempts to access readmsg.php on a web server. This may indicate an attempt to exploit a directory traversal vulnerability in the WebMail application on Sun Microsystems' Cobalt Qube 3.0 server appliance. -- Impact: Information gathering. -- Detailed Information: This event may indicate an attempt to exploit a vulnerability in the WebMail application used by Sun Microsystems' Cobalt Qube 3.0 server appliance. An attacker can use directory traversal techniques when accessing readmsg.php to view hidden files and directories on the web server with the access privileges of the server. -- Affected Systems: Any Cobalt Qube 3.0 server appliance running Cobalt Qube Webmail 2.0.1. -- Attack Scenarios: An attacker can use directory traversal techniques when executing readmsg.php to view directories and files on the Cobalt server. -- Ease of Attack: Simple. Exploits exist. -- False Positives: If a legitimate remote user accesses readmsg.php, this rule may generate an event. -- False Negatives: None known. -- Corrective Action: Upgrade to the newest version of the software. Sun Microsystems has released a patch (Qube3-ml-Security-2.0.1-10626.pkg) that can be downloaded from ftp://ftp.cobalt.com/. -- Contributors: Sourcefire Research Team Brian Caswell <bmc@sourcefire.com> Sourcefire Technical Publications Team Jen Harvey <jennifer.harvey@sourcefire.com> -- Additional References: Bugtraq http://www.securityfocus.com/bid/2987 CVE http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2001-1408 Nessus http://cgi.nessus.org/plugins/dump.php3?id=11073 --