Rule:--Sid:2405--Summary:This event is generated when an attempt is made to access the file "phptest.php".BadBlue Personal Edition 2.4 servers could disclose confidentialinformation on the software configuration towards an attacker.--Impact:Information gathering.This signature is usually indicative of a reconaissance probe.Succesful exploitation would provide the originator of the attack with theinstallation path of the software.--Detailed Information:Web servers running BadBlue Personal Edition 2.4, apersonal file sharing server, are vulnerable to a path disclosure attack.When a client requests the phptest.php file from such a server, the sourceof the HTTP reply page contains the installation path of the software.This path can be used as information for further attacks.--Affected Systems:	BadBlue Personal Edition 2.4--Attack Scenarios:During the reconaissance phase, an attacker could obtain the installation path of the BadBlue server.  This can become valuable information during the later execution of directory traversal or buffer overflow attacks.--Ease of Attack:Simple.--False Positives:While not a true false positive, many PHP installation howtos advise the creation of a small file "phptest.php" which contains a call for the phpinfo() function.  When this file is accessed legitimately bysomeone testing a fresh install, this signature will also trigger.NOTE: The amount of information provided (installation directory, version numbers, environment variables), could also constitute a vulnerability if this file is present on a production web server.--False Negatives:None known.--Corrective Action:Ensure the system is using an up to date version of the software and hashad all vendor supplied patches applied.--Contributors:Snort documentation contributed by Maarten Van Horenbeeck <maarten@daemon.be>Sourcefire Research TeamBrian Caswell <bmc@sourcefire.com>Nigel Houghton <nigel.houghton@sourcefire.com>--Additional References:--