Under certain versions of Internet Security Systems RealSecure Network Intrusion Detection Software (NIDS) it is possible to launch CGI attacks against webservers without the NIDS detecting the attacks as it should.

This is possible by way of intruders using the Whisker scanner, a tool designed to scan and exploit web based CGI vulnerabilities by using techniques which are designed to subvert signature based NID's.

The methods which Whisker utilizes are too detailed for this vulnerability entry to cover. As such we have included a URL in the 'Credit' section of this vulnerability which points to the Whisker home page.

The following explanation is provided by Stephane Aubert <Stephane.Aubert@hsc.fr> the author of this discovery from his original Bugtraq posting.

"Stealth scans can be done using Whisker v1.3.0a and via the HEAD method. It is also possible to use the GET method (-M 2), in that case you must use an evading mode (0, 6 or both) to avoid detection. "

Examples:
./whisker.pl -h xxx.yyy.zzz.ttt -I 1246
./whisker.pl -h xxx.yyy.zzz.ttt -I 0 -M 2
./whisker.pl -h xxx.yyy.zzz.ttt -I 6 -M 2
./whisker.pl -h xxx.yyy.zzz.ttt -I 60 -M 2

Please see the 'Credit' section of this entry for more detailed information.