NCSA/Apache httpd ScriptAlias远程泄漏脚本源码漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105551 漏洞类型 未知
发布时间 1999-09-25 更新时间 2007-02-08
CVE编号 CVE-1999-0236 CNNVD-ID CNNVD-199701-019
漏洞平台 Multiple CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/20595
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199701-019
|漏洞详情
NSCAhttpd1.5及以前版本和ApacheWebServer1.0以前的版本的ScriptAlias功能存在漏洞。如果ScriptAlias目录定义在DocumentRoot下,远程攻击者可以浏览Web服务器上CGI程序的源码。如果索引功能打开的话,在URL里使用多个斜杠还可以列出CGI-BIN目录的列表。远程攻击者可以利用这个漏洞查看脚本的代码,进一步审计这些脚本可能获得更多漏洞。<**>
|漏洞EXP
source: http://www.securityfocus.com/bid/2300/info

NSCA httpd prior to and including 1.5 and Apache Web Server prior to 1.0 contain a bug in the ScriptAlias function that allows remote users to view the source of CGI programs on the web server, if a ScriptAlias directory is defined under DocumentRoot. A full listing of the CGI-BIN directory can be obtained if indexing is turned on, as well. This is accomplished by adding multiple forward slashes in the URL (see exploit). The web server fails to recognize that a ScriptAlias directory is actually redirected to a CGI directory when this syntax is used, and returns the text of the script instead of properly executing it. This may allow an attacker to audit scripts for vulnerabilities, retrieve proprietary information, etc. 

To retrieve the contents of http://targethost/cgi-bin/script.cgi an attacker would use the following URL, provided the directory cgi-bin is redirected using ScriptAlias:
http://targethost///cgi-bin/script.cgi
|参考资料
VulnerablesoftwareandversionsConfiguration1OR*cpe:/a:apache:http_server*cpe:/a:ncsa:servers*DenotesVulnerableSoftware*ChangesrelatedtovulnerabilityconfigurationsTechnicalDetailsVulnerabilityType(ViewAll)CVEStandardVulnerabilityEntry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0236