Vulnerabilities > CVE-2000-0868

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
apache
suse
nessus
NVD
Published: 2000-11-14
Updated: 2017-10-10

Summary

The default configuration of Apache 1.3.12 in SuSE Linux 6.4 allows remote attackers to read source code for CGI scripts by replacing the /cgi-bin/ in the requested URL with /cgi-bin-sdb/.

Vulnerable Configurations

Part Description Count
Application
Apache
1
OS
Suse
2

Nessus

NASL familyWeb Servers
NASL idSUSE_CGI_BIN_SDB.NASL
descriptionThe directory /cgi-bin-sdb is an Alias of /cgi-bin - most SuSE systems are configured that way. This setting allows an attacker to obtain the source code of the installed CGI scripts on this host. This is dangerous as it gives an attacker valuable information about the setup of this host, or perhaps usernames and passwords if they are hard-coded into the CGI scripts.
last seen2020-06-01
modified2020-06-02
plugin id10503
published2000-09-07
reporterThis script is Copyright (C) 2000-2019 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10503
titleApache on SuSE Linux cgi-bin-sdb Request Script Source Disclosure
code
#%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(10503);
  script_version("1.35");
  script_cvs_date("Date: 2019/10/25 13:36:27");

  script_cve_id("CVE-2000-0868");
  script_bugtraq_id(1658);

  script_name(english:"Apache on SuSE Linux cgi-bin-sdb Request Script Source Disclosure");
  script_summary(english:"Checks for the presence of /cgi-bin-sdb/");

  script_set_attribute(attribute:"synopsis", value:"The remote service is vulnerable to information disclosure.");
  script_set_attribute(attribute:"description", value:
"The directory /cgi-bin-sdb is an Alias of /cgi-bin - most SuSE systems
are configured that way.

This setting allows an attacker to obtain the source code of the
installed CGI scripts on this host. This is dangerous as it gives an
attacker valuable information about the setup of this host, or perhaps
usernames and passwords if they are hard-coded into the CGI scripts.");
  script_set_attribute(attribute:"see_also", value:"http://archives.neohapsis.com/archives/linux/suse/2000-q3/0906.html");
  script_set_attribute(attribute:"solution", value:
"In httpd.conf, change the directive : 

  Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/ 

to 

  ScriptAlias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2000/09/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2000/09/07");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);

  script_copyright(english:"This script is Copyright (C) 2000-2019 Tenable Network Security, Inc.");
  script_family(english:"Web Servers");

  script_dependencie("http_version.nasl");
  script_require_keys("Settings/ParanoidReport");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80);

  # First try : attempt to get printenv
u = string("/cgi-bin-sdb/printenv");
w = http_send_recv3(method:"GET", item:u, port:port);
if (isnull(w)) exit(1, "The web server on port "+port+" did not answer");
r = strcat(w[0], w[1], '\r\n', w[2]);

if("/usr/bin/perl" >< r)
  	security_warning(port);

References