ID CVE-2000-0213 Type cve Reporter cve@mitre.org Modified 2008-09-10T19:03:00
Description
The Sambar server includes batch files ECHO.BAT and HELLO.BAT in the CGI directory, which allow remote attackers to execute commands via shell metacharacters.
{"osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-2000-0213"], "edition": 1, "description": "## Vulnerability Description\nSambar Server contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when additional commands are appended to a request for the \"hello.bat\" file. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 4.3 beta 8 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):\n\nRemove all .bat files from the /cgi-bin/ directory.\n## Short Description\nSambar Server contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when additional commands are appended to a request for the \"hello.bat\" file. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/cgi-bin/hello.bat?&dir+c:\n\n## References:\nVendor URL: http://www.sambar.com/syshelp/security.htm\n[Related OSVDB ID: 5802](https://vulners.com/osvdb/OSVDB:5802)\n[Nessus Plugin ID:10246](https://vulners.com/search?query=pluginID:10246)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-02/0288.html\nISS X-Force ID: 3999\n[CVE-2000-0213](https://vulners.com/cve/CVE-2000-0213)\nBugtraq ID: 1002\n", "modified": "2000-02-23T00:00:00", "published": "2000-02-23T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:194", "id": "OSVDB:194", "type": "osvdb", "title": "Sambar Server hello.bat Code Execution", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "cvelist": ["CVE-2000-0213"], "edition": 1, "description": "## Vulnerability Description\nSambar Server contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when additional commands are appended to a request for the \"echo.bat\" file. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 4.3 beta 8 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s):\n\nRemove all .bat files from the /cgi-bin/ directory.\n## Short Description\nSambar Server contains a flaw that may allow a malicious user to execute arbitrary code. The issue is triggered when additional commands are appended to a request for the \"echo.bat\" file. It is possible that the flaw may allow arbitrary code execution resulting in a loss of integrity.\n## Manual Testing Notes\nhttp://[victim]/cgi-bin/echo.bat?&dir+c:\\\n## References:\nVendor URL: http://www.sambar.com/syshelp/security.htm\n[Related OSVDB ID: 194](https://vulners.com/osvdb/OSVDB:194)\n[Nessus Plugin ID:10246](https://vulners.com/search?query=pluginID:10246)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-02/0288.html\nISS X-Force ID: 3999\n[CVE-2000-0213](https://vulners.com/cve/CVE-2000-0213)\nBugtraq ID: 1002\n", "modified": "2000-02-23T00:00:00", "published": "2000-02-23T00:00:00", "id": "OSVDB:5802", "href": "https://vulners.com/osvdb/OSVDB:5802", "title": "Sambar Server echo.bat Code Execution", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-02T12:38:53", "description": "Sambar Server 4.2 beta 7 Batch CGI Vulnerability. CVE-2000-0213. Remote exploit for windows platform", "published": "2000-02-24T00:00:00", "type": "exploitdb", "title": "Sambar Server 4.2 beta 7 Batch CGI Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2000-0213"], "modified": "2000-02-24T00:00:00", "id": "EDB-ID:19761", "href": "https://www.exploit-db.com/exploits/19761/", "sourceData": "source: http://www.securityfocus.com/bid/1002/info\r\n\r\nThe Sambar Web/FTP/Proxy Server for Windows NT and 2000 supports DOS-style batch programs as CGI scripts. A remote attacker can use any batch file used by the server in the 'cgi-bin' directory to run any valid command-line program with administrator privileges. This allows the attacker to read, modify, create, or delete any file or directory on the system, including user accounts, etc. Even if the user hasn't enabled or created any batch files, the software ships with two by default: 'hello.bat' and 'echo.bat'.\r\n\r\nhttp://target/cgi-bin/hello.bat?&dir+c:or\r\nhttp://target/cgi-bin/echo.bat?&dir+c:\\", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/19761/"}], "nessus": [{"lastseen": "2021-01-20T14:08:29", "description": "At least one of these CGI scripts is installed :\n\n hello.bat echo.bat\n\nThey allow any attacker to execute commands with the privileges of the\nweb server process.", "edition": 23, "published": "2000-02-23T00:00:00", "title": "Sambar Server Multiple Script Arbitrary Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2000-0213"], "modified": "2000-02-23T00:00:00", "cpe": [], "id": "SAMBAR_CGI.NASL", "href": "https://www.tenable.com/plugins/nessus/10246", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(10246);\n script_version(\"1.31\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2000-0213\");\n script_bugtraq_id(1002);\n\n script_name(english:\"Sambar Server Multiple Script Arbitrary Code Execution\");\n script_summary(english:\"Checks for the presence of /cgi-bin/{hello,echo}.bat\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"Arbitrary commands may be run on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"At least one of these CGI scripts is installed :\n\n hello.bat echo.bat\n\nThey allow any attacker to execute commands with the privileges of the\nweb server process.\");\n script_set_attribute(attribute:\"solution\", value:\"Delete all the *.bat files from your cgi-bin/ directory\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2000/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2000/02/23\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2000-2021 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n\n script_dependencie(\"find_service1.nasl\", \"no404.nasl\", \"http_version.nasl\");\n script_require_keys(\"Settings/ParanoidReport\", \"www/sambar\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default: 80);\n\nif (is_cgi_installed3(item:\"hello.bat\", port:port) ||\n is_cgi_installed3(item:\"echo.bat\", port:port))\n security_hole(port);\n\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
