Vulnerabilities > CVE-2004-2628 - Directory Traversal vulnerability in Acme Labs Thttpd 2.0.7Beta0.4

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
acme-labs
nessus
exploit available
NVD
Published: 2004-12-31
Updated: 2017-07-20

Summary

Multiple directory traversal vulnerabilities in thttpd 2.07 beta 0.4, when running on Windows, allow remote attackers to read arbitrary files via a URL that contains (1) a hex-encoded backslash dot-dot sequence ("%5C..") or (2) a drive letter (such as "C:").

Vulnerable Configurations

Part Description Count
Application
Acme_Labs
1

Exploit-Db

descriptionAcme thttpd 2.0.7 Directory Traversal Vulnerability. CVE-2004-2628. Remote exploit for windows platform
idEDB-ID:24350
last seen2016-02-02
modified2004-08-04
published2004-08-04
reporterCoolICE
sourcehttps://www.exploit-db.com/download/24350/
titleacme thttpd 2.0.7 - Directory Traversal Vulnerability

Nessus

NASL familyWeb Servers
NASL idTHTTPD_DIRECTORY_TRAVERSAL.NASL
descriptionThe remote web server fails to limit requests to items within the document directory. An attacker may exploit this flaw to read arbitrary files on the remote system with the privileges of the http process.
last seen2020-06-01
modified2020-06-02
plugin id14229
published2004-08-09
reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/14229
titlethttpd 2.0.7 Directory Traversal (Windows)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(14229);
 script_version("1.23");

 script_cve_id("CVE-2004-2628");
 script_bugtraq_id(10862);
 
 script_name(english:"thttpd 2.0.7 Directory Traversal (Windows)");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server is vulnerable to a path traversal attack." );
 script_set_attribute(attribute:"description", value:
"The remote web server fails to limit requests to items within the
document directory.  An attacker may exploit this flaw to read
arbitrary files on the remote system with the privileges of the http
process." );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/Aug/144");
 script_set_attribute(attribute:"solution", value:
"Unknown at this time." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2004/08/09");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/08/04");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

 
 script_summary(english:"thttpd traversal - try to read c:\boot.ini");
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2004-2020 Tenable Network Security, Inc.");
 script_family(english:"Web Servers");
 script_dependencie("http_version.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

#
# The script code starts here
#

include("http_func.inc");

port = get_http_port(default:80, embedded:TRUE);

if(get_port_state(port))
{
 soc = http_open_socket(port);
 if(soc)
 {
  buf = http_get(item:"c:\boot.ini", port:port);
  send(socket:soc, data:buf);
  rep = http_recv(socket:soc);
  if ( '\r\n\r\n' >< rep )
   rep = strstr(rep, '\r\n\r\n');

  if(egrep(pattern:"\[boot loader\]", string:rep))
  {
    report = string(
      "\n",
      "Requesting the file c:\\boot.ini returns :\n",
      "\n",
      rep, "\n"
    );
    security_warning(port:port, extra:report);
  }

  http_close_socket(soc);
 }
}

References