Exploit Apache 1.1 / NCSA HTTPd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19536
Проверка EDB
  1. Пройдено
Автор
JOSH RICHARDS
Тип уязвимости
DOS
Платформа
MULTIPLE
CVE
cve-1999-0045
Дата публикации
1996-12-10
Apache 1.1 / NCSA HTTPd 1.5.2 / Netscape Server 1.12/1.1/2.0 - a nph-test-cgi
Код:
Apache <= 1.1,NCSA httpd <= 1.5.2,Netscape Commerce Server 1.12/Communications Server 1.1/Enterprise Server 2.0 a nph-test-cgi Vulnerability   

source: https://www.securityfocus.com/bid/686/info

Description as given by Josh Richards:

A security hole exists in the nph-test-cgi script included in most UNIX based World Wide Web daemon distributions. The nph-* scripts exist to allow 'non-parsed headers' to be sent via the HTTP protocol (this is not the cause of this security problem, though). The problem is that nph-test-cgi, which prints out information on the current web environment (just like 'test-cgi' does) does not enclose its arguments to the 'echo' command inside of quotes....shell escapes are not possible (or at least I have not found them to be--yet) but shell *expansion* is.... This means that _any_ remote user can easily browse your filesystem via the WWW.

This is a bug with the nph-test-cgi script and _not_ the server itself. 

Enter the URL: <http://yourwebserver.com/cgi-bin/nph-test-cgi?*>

Replace <yourwebserver.com> with the hostname of a server running a web
daemon near you.
 
Источник
www.exploit-db.com

Похожие темы