CVE-2001-0731
CVSS5.0
发布时间 :2001-10-01 00:00:00
修订时间 :2008-09-05 16:24:47
NMCOE    

[原文]Apache 1.3.20 with Multiviews enabled allows remote attackers to view directory contents and bypass the index page via a URL containing the "M=D" query string.


[CNNVD]Apache Autoindexing模块可能导致泄漏目录列表(CNNVD-200110-003)

        CVE(CAN) ID: CVE-2001-0731
        
        
        
        Apache的AutoIndex(自动索引)模块会自动对目录进行索引。
        
        
        
        如果该目录下存在index.html文件,那么自动索引将显示index.html的内容。
        
        然而,这个模块存在一个可能的问题,如果提交某些特殊命令,可能会泄漏目录
        
        列表,不管index.html文件是否存在。
        
        
        
        问题出在/src/modules/standard/mod_autoindex.c :
        
        
        
        #define K_NAME 'N' /* Sort by file name (default) */
        
        #define K_LAST_MOD 'M' /* Last modification date */
        
        #define K_SIZE 'S' /* Size (absolute, not as displayed) */
        
        #define K_DESC 'D' /* Description */
        
        
        
        #define D_ASCENDING 'A'
        
        #define D_DESCENDING 'D'
        
        
        
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0731
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0731
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200110-003
(官方数据源) CNNVD

- 其它链接及资源

http://www.apacheweek.com/issues/01-10-05#security
(PATCH)  CONFIRM  http://www.apacheweek.com/issues/01-10-05#security
http://xforce.iss.net/xforce/xfdb/8275
(UNKNOWN)  XF  apache-multiviews-directory-listing(8275)
http://www.securityfocus.com/bid/3009
(UNKNOWN)  BID  3009
http://www.securityfocus.com/archive/1/20010709214744.A28765@brasscannon.net
(UNKNOWN)  BUGTRAQ  20010709 How Google indexed a file with no external link
http://www.redhat.com/support/errata/RHSA-2001-164.html
(UNKNOWN)  REDHAT  RHSA-2001:164
http://www.redhat.com/support/errata/RHSA-2001-126.html
(UNKNOWN)  REDHAT  RHSA-2001:126
http://frontal2.mandriva.com/security/advisories?name=MDKSA-2001:077
(UNKNOWN)  MANDRAKE  MDKSA-2001:077
ftp://patches.sgi.com/support/free/security/advisories/20020301-01-P
(UNKNOWN)  SGI  20020301-01-P

- 漏洞信息

Apache Autoindexing模块可能导致泄漏目录列表
中危 其他
2001-10-01 00:00:00 2005-10-12 00:00:00
远程  
        CVE(CAN) ID: CVE-2001-0731
        
        
        
        Apache的AutoIndex(自动索引)模块会自动对目录进行索引。
        
        
        
        如果该目录下存在index.html文件,那么自动索引将显示index.html的内容。
        
        然而,这个模块存在一个可能的问题,如果提交某些特殊命令,可能会泄漏目录
        
        列表,不管index.html文件是否存在。
        
        
        
        问题出在/src/modules/standard/mod_autoindex.c :
        
        
        
        #define K_NAME 'N' /* Sort by file name (default) */
        
        #define K_LAST_MOD 'M' /* Last modification date */
        
        #define K_SIZE 'S' /* Size (absolute, not as displayed) */
        
        #define K_DESC 'D' /* Description */
        
        
        
        #define D_ASCENDING 'A'
        
        #define D_DESCENDING 'D'
        
        
        
        

- 公告与补丁

        
        
        解决方法:
        
        
        
        建议您在httpd.conf中关闭"Index"选项。
        

- 漏洞信息 (21002)

Apache 1.3 Possible Directory Index Disclosure Vulnerability (EDBID:21002)
multiple remote
2001-07-10 Verified
0 Kevin
N/A [点击下载]
source: http://www.securityfocus.com/bid/3009/info

A possible vulnerability exists in Apache that could cause directory contents to be disclosed when directory indexing is enabled, despite the presence of an 'index.html' file.

The problem is likely the result of an error in "multiview" functionality provided as part of Apache's content negotiation support. Exploitation of this problem may lead to the dislosure of sensitive information to attackers. 

http://target-webserver/?M=A
http://target-webserver/?S=D 		

- 漏洞信息

582
Apache HTTP Server Multiviews Feature Arbitrary Directory Listing
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2001-07-29 Unknow
2001-07-29 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站