Vulnerabilities > CVE-2006-4110 - Information Disclosure vulnerability in Apache Http Server 2.0.58/2.2.2/2.2.3
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Apache 2.2.2, when running on Windows, allows remote attackers to read source code of CGI programs via a request that contains uppercase (or alternate case) characters that bypass the case-sensitive ScriptAlias directive, but allow access to the file on case-insensitive file systems.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Exploit-Db
description | Apache 2.2.2 CGI Script Source Code Information Disclosure Vulnerability. CVE-2006-4110. Remote exploits for multiple platform |
id | EDB-ID:28365 |
last seen | 2016-02-03 |
modified | 2006-08-09 |
published | 2006-08-09 |
reporter | Susam Pal |
source | https://www.exploit-db.com/download/28365/ |
title | Apache 2.2.2 CGI Script Source Code Information Disclosure Vulnerability |
Nessus
NASL family CGI abuses NASL id APACHE_SCRIPTALIAS_IN_HTDOCS_DIR_TRAVERSAL.NASL description The version of Apache for Windows running on the remote host can be tricked into disclosing the source of its CGI scripts because of a configuration issue. Specifically, if the CGI directory is located within the document root, then requests that alter the case of the directory name will bypass the mod_cgi cgi-script handler and be treated as requests for ordinary files. last seen 2020-06-01 modified 2020-06-02 plugin id 22203 published 2006-08-11 reporter This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22203 title Apache on Windows mod_alias URL Validation Canonicalization CGI Source Disclosure code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22203); script_version("1.24"); script_cve_id("CVE-2006-4110"); script_bugtraq_id(19447); script_name(english:"Apache on Windows mod_alias URL Validation Canonicalization CGI Source Disclosure"); script_summary(english:"Tries to read source of print-env.pl with Apache for Windows"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an information disclosure issue." ); script_set_attribute(attribute:"description", value: "The version of Apache for Windows running on the remote host can be tricked into disclosing the source of its CGI scripts because of a configuration issue. Specifically, if the CGI directory is located within the document root, then requests that alter the case of the directory name will bypass the mod_cgi cgi-script handler and be treated as requests for ordinary files." ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/442882/30/0/threaded" ); script_set_attribute(attribute:"solution", value: "Reconfigure Apache so that the scripts directory is located outside of the document root." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/08/11"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/08/09"); script_cvs_date("Date: 2018/11/15 20:50:16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:apache:http_server"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencie("apache_http_version.nasl"); script_exclude_keys("installed_sw/Apache", "Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("audit.inc"); include("webapp_func.inc"); get_install_count(app_name:"Apache", exit_if_zero:TRUE); port = get_http_port(default:80); install = get_single_install(app_name:"Apache", port:port); # Loop through CGI directories. foreach dir (cgi_dirs()) { # Try to exploit the flaw to read a CGI script. # # nb: printenv.pl is included by default. file = "printenv.pl"; r = http_send_recv3(method:"GET", item:string(toupper(dir), "/", file), port:port); if (isnull(r)) exit(0); res = r[2]; # There's a problem if it looks like the source. if ( "foreach $var (sort(keys(%ENV))) {" >< res && pgrep(pattern:"^#!.+/perl\.exe", string:res) ) { report = string( "Here are the contents of the '", dir, "/", file, "' CGI script that\n", "Nessus was able to read from the remote host :\n", "\n", res ); security_warning(port:port, extra:report); exit(0); } } audit(AUDIT_LISTEN_NOT_VULN, "Apache", port, install["version"]);
NASL family CGI abuses NASL id APACHE_SCRIPTALIAS_IN_HTDOCS_DIR_TRAVERSAL2.NASL description The version of Apache running on the remote Windows host can be tricked into disclosing the source of its CGI scripts because of a configuration issue. Specifically, if the CGI directory is located within the document root, then requests that alter the case of the directory name will bypass the mod_cgi cgi-script handler and be treated as requests for ordinary files. last seen 2020-06-01 modified 2020-06-02 plugin id 17694 published 2011-11-18 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17694 title Apache on Windows mod_alias URL Validation Canonicalization CGI Source Information Disclosure
References
- http://secunia.com/advisories/21490
- http://securityreason.com/securityalert/1370
- http://www.osvdb.org/27913
- http://www.securityfocus.com/archive/1/442882/100/0/threaded
- http://www.securityfocus.com/archive/1/443487/100/200/threaded
- http://www.securityfocus.com/bid/19447
- http://www.vupen.com/english/advisories/2006/3265
- https://exchange.xforce.ibmcloud.com/vulnerabilities/28357