Rit Research Labs TinyWeb Server未授权脚本泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107975 漏洞类型 输入验证
发布时间 2004-06-01 更新时间 2005-12-21
CVE编号 CVE-2004-2636 CNNVD-ID CNNVD-200412-904
漏洞平台 CGI CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/24164
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-904
|漏洞详情
RitResearchLabsTinyWebServer是一款小型WEB服务程序。RitResearchLabsTinyWebServer不正确限制对部分脚本的限制,远程攻击者可以利用这个漏洞获得部分敏感信息。由于WEB服务对URI请求存在输入验证错误,攻击者可以下载或查看'cgi-bin'目录下的脚本,直接访问可获得敏感信息。
|漏洞EXP
source: http://www.securityfocus.com/bid/10445/info

TinyWeb Server is affected by an unauthorized script disclosure vulnerability. This issue is due to an input validation error that allows malicious users to bypass standard web server rules.

This issue will allow an attacker to download or view scripts residing in the 'cgi-bin' directory.

This issue is reported to affect TinyWeb 1.92, it is likely that other versions are also vulnerable. 

http://www.example.com/./cgi-bin/targetfile
|参考资料

来源:XF
名称:tinyweb-get-download-scripts(16275)
链接:http://xforce.iss.net/xforce/xfdb/16275
来源:BID
名称:10445
链接:http://www.securityfocus.com/bid/10445/info
来源:OSVDB
名称:6517
链接:http://www.osvdb.org/6517
来源:SECTRACK
名称:1010346
链接:http://securitytracker.com/alerts/2004/May/1010346.html
来源:SECUNIA
名称:11731
链接:http://secunia.com/advisories/11731
来源:NSFOCUS
名称:6520
链接:http://www.nsfocus.net/vulndb/6520