Vulnerabilities > CVE-2007-3407 - Information Disclosure vulnerability in Sergey Lyubka Simple Httpd 1.38

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
sergey-lyubka
nessus
exploit available

Summary

Sergey Lyubka Simple HTTPD (shttpd) 1.38 allows remote attackers to obtain sensitive information (script source code) via a URL with a trailing encoded space (%20).

Vulnerable Configurations

Part Description Count
Application
Sergey_Lyubka
1

Exploit-Db

descriptionSHTTPD 1.38 Filename Parse Error Information Disclosure Vulnerability. CVE-2007-3407. Remote exploits for multiple platform
idEDB-ID:30229
last seen2016-02-03
modified2007-06-25
published2007-06-25
reporterShay Priel
sourcehttps://www.exploit-db.com/download/30229/
titleSHTTPD 1.38 Filename Parse Error Information Disclosure Vulnerability

Nessus

NASL familyWeb Servers
NASL idASP_SOURCE_SPACE.NASL
descriptionIt appears possible to get the source code of the remote ASP scripts by appending a
last seen2020-06-01
modified2020-06-02
plugin id11071
published2002-08-14
reporterThis script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/11071
titleMultiple Web Server Encoded Space (%20) Request ASP Source Disclosure

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 24618 CVE(CAN) ID: CVE-2007-3407 SHTTPD是一款轻量级的简单易用的web服务器。 SHTTPD处理HTTP请求时存在漏洞,远程攻击者可能利用此漏洞获取脚本源码。 SHTTPD没有正确地处理HTTP请求,如果用户在所提交的URI后附加了“%20”字符的话,就可能导致泄露某些脚本的源码。 Sergey Lyubka SHTTPD 1.38 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href="http://shttpd.sourceforge.net/" target="_blank">http://shttpd.sourceforge.net/</a>
idSSV:1940
last seen2017-11-19
modified2007-06-29
published2007-06-29
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-1940
titleSHTTPD文件名解析错误信息泄露漏洞