Rule:

--
Sid:
2128

--
Summary:
This event is generated when an attempt is made to access srsrv.cgi on a
web server. This may indicate an attempt to exploit a cross-site 
scripting vulnerability that affects Neoteris Instant Virtual Extranet, 
an appliance-based VPN solution.

--
Impact:
Arbitrary code execution, possible session hijack.

--
Detailed Information:
This event indicates that an attempt has been made to exploit a 
cross-site scripting vulnerability in Neoteris Instant Virtual Extranet.
An attacker can pass an argument to srsrv.cgi that bypasses 
authentication, and can allow the attacker to hijack a legitimate user's
VPN session. 

--
Affected Systems:
Neoteris Instant Virtual Extranet 3.01 and earlier.

--
Attack Scenarios:
An attacker can pass a specific argument to srsrv.cgi that bypasses 
authentication and can hijack a legitimate user's VPN session.

--
Ease of Attack:
Simple. 

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Apply the patch provided by Neoteris (https://support.neoteris.com).

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>
Sourcefire Technical Publications Team

--
Additional References:

Bugtraq
http://www.securityfocus.com/bid/7510

CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0217

Nessus
http://cgi.nessus.org/plugins/dump.php3?id=11608

--
