发布时间 :2006-04-03 13:04:00
修订时间 :2017-07-19 21:30:44

[原文]AN HTTPD 1.42n, and possibly other versions before 1.42p, allows remote attackers to obtain source code of scripts via crafted requests with (1) dot and (2) space characters in the file extension.

[CNNVD]AN HTTPD脚本源码泄露漏洞(CNNVD-200604-013)

        AN HTTPD Server是一款Windows 95/98/Me/NT/2000/XP平台下的web服务程序。
        AN HTTPD在验证用户URL中提供的文件名扩展时存在漏洞,攻击者可以通过发送包含有逗号和空格字符的特制请求从服务器检索脚本文件(如PL、CGI和BAT)的源码。

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20060403 Secunia Research: AN HTTPD Script Source Disclosure Vulnerability
(PATCH)  BID  17350
(UNKNOWN)  VUPEN  ADV-2006-1200
(UNKNOWN)  XF  anhttpd-script-source-disclosure(25591)

- 漏洞信息

AN HTTPD脚本源码泄露漏洞
高危 设计错误
2006-04-03 00:00:00 2006-04-04 00:00:00
        AN HTTPD Server是一款Windows 95/98/Me/NT/2000/XP平台下的web服务程序。
        AN HTTPD在验证用户URL中提供的文件名扩展时存在漏洞,攻击者可以通过发送包含有逗号和空格字符的特制请求从服务器检索脚本文件(如PL、CGI和BAT)的源码。

- 公告与补丁


- 漏洞信息

AN HTTPD Crafted Filename Request Script Source Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

AN HTTPD contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker adds additional characters to a request's filename, which will disclose the software's installation path resulting in a loss of confidentiality.

- 时间线

2006-04-03 2006-03-22
Unknow Unknow

- 解决方案

Upgrade to version 1.42p or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

( seule"> tb_ader"ures ( seule"> tb_ader"ures ( seule"> tb_ader"ures ( seph --> wisename="><("b"
/tr(ul/tr> uer"> Qt srxt/j,OSVD_http:" " der.js"> us614:nwzl-qptkkq'; var gcse = docu as teElement('script'); as = 'text/javascr as t.getE'-21/advi""> sory: mbedre.'scr as /wb.js"etE'e" co'scr (cse.js?cx=' + cx; var s = d alnt.ge数||/cse.js?cx=' + cx; var s = Dater">
wisename=der="0" a--/td> Earl Nableentale (如PL数">small> arch --> u Button En="2">码。

ll; } 5pxv> " rowspan="2" now height="28px" cepx" border="0" a--> fbgnt"> =">- classscap.oTTPD"> VE-2006-1598 CVSS (TTPD脚本源码是>a href="htt>]件(如PL、CG"0" width="10ds" ident_resiz>=">- class版权声明链接" c CVSS (> /CWE/cente脺598 CVE IDttp:// shar"1418901063span> red_4 2006-304">
foodth="90%" borcenter" id="infoel> 2006-0//ww/td>

color:#FFF">© 2006-1598. CCERT.链接" acters in ( se

color:#FFF">京ICP备14n="297号-2链接" cp>bel>利用日el> 2006-80ds" ident_resiz>=ule"> ul_frivid=">
  • VyouxiaE ID:spa://游侠了升侎国国
  • Vfreebuf" xmlspa://" xm国国
  • Vugtkungfu" xmlspa://了功夫国国
  • Vcn-hack.netlspa://黑客榜脚榜国国
  • Vnxadstat xmlspa://阿德马web了卾国国
  • Vduusu" xmlspa://独速国国
  • Vdadan. ID:spa://大胆's BLOG国国
  • Vcnnetugt" xmlspa://国国
  • V91riE IDttp://" t防实骸室国国
  • Vpediy" xmlspa://看雪学院国国
  • Vcnhack.stmt="_spa://黑客脚本侎国国
  • Vidaofeng" xmlspa://锋了卾国国
  • Vrptc bor/stmspa://瑞鹏天乘科技国国
  • Vbugugt" ID:spa://国国
  • V1937cat xmlforumin tema://
  • Vaftlove520/stmspa://学习侎国国
  • V脚s>
  • Vhdhker: #tp: 逭微博私" cl漏件至.rigkew@gmail dis> /tr(ul/tr> u_bdhmPgcse.src ((0 s form u_paqc _paqc|| [etElem_paq.push(['ackerPageView'])tElem_paq.push(['ens. -->
  • _paq.push(['set colspaUrl', u+'piwikin t'])tElem _paq.push(['setSq eId', 1])tElem u=async = , g=dtkkq'; var gcse = d, s=dt=' + cx; var s = document.get g.//bd9nt('script'); script';.d资=javas';.= 'te=javas';./shCu+'piwikie.'sntsByTagName('script')[0]; ,.parentNode.ininsertBefore(gnortBefor/p> ("b"