ID CVE-2000-1016 Type cve Reporter cve@mitre.org Modified 2017-10-10T01:29:00
Description
The default configuration of Apache (httpd.conf) on SuSE 6.4 includes an alias for the /usr/doc directory, which allows remote attackers to read package documentation and obtain system configuration information via an HTTP request for the /doc/packages URL.
{"exploitdb": [{"lastseen": "2016-02-02T13:47:36", "bulletinFamily": "exploit", "description": "S.u.S.E. Linux 6.3/6.4 Installed Package Disclosure Vulnerability. CVE-2000-1016. Remote exploit for linux platform", "modified": "2000-09-21T00:00:00", "published": "2000-09-21T00:00:00", "id": "EDB-ID:20236", "href": "https://www.exploit-db.com/exploits/20236/", "type": "exploitdb", "title": "S.u.S.E. Linux 6.3/6.4 Installed Package Disclosure Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/1707/info\r\n\r\nBy submitting a specific url to the web server (\"http://hosts.any/doc/packages/\") , any user from any host may obtain a list of packages installed on a S.u.S.E 6.3 or 6.4 system. This problem is due to a configuration in the Apache httpd.conf supplied with S.u.S.E that permits anyone to request documents from this webroot subdirectory. The end result is that attackers will know what packages the victim has installed, which can assist in executing more complicated attacks.\r\n\r\nRequest \"http://target/doc/packages/\" with a web browser. ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/20236/"}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor URL: http://httpd.apache.org/\n[CVE-2000-1016](https://vulners.com/cve/CVE-2000-1016)\nBugtraq ID: 1707\n", "modified": "2000-09-21T00:00:00", "published": "2000-09-21T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:417", "id": "OSVDB:417", "type": "osvdb", "title": "Apache HTTP Server on SuSE Linux /doc/packages Remote Information Disclosure", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2018-06-14T07:19:07", "bulletinFamily": "scanner", "description": "The /doc/packages directory is browsable. This directory contains the versions of the packages installed on this host. A remote attacker can use this information to mount further attacks.\nThis plugin has been deprecated. Webmirror3 (plugin ID 10662) will identify a browsable directory.", "modified": "2018-06-13T00:00:00", "published": "2000-09-25T00:00:00", "id": "DOC_PACKAGE_BROWSEABLE.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10518", "title": "/doc/packages Directory Browsable (deprecated)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2016/04/01. Webmirror3.nbin will identify browsable\n# directories.\n\n# Script audit and contributions from Carmichael Security\n# Erik Anderson <eanders@carmichaelsecurity.com> (nb: this domain no longer exists)\n# Added BugtraqID and CVE\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10518);\n script_version (\"1.31\");\n script_cvs_date(\"Date: 2018/06/13 18:56:26\");\n\n script_cve_id(\"CVE-2000-1016\");\n script_bugtraq_id(1707);\n\n script_name(english:\"/doc/packages Directory Browsable (deprecated)\");\n script_summary(english:\"Checks if /doc/packages browsable.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"The /doc/packages directory is browsable. This directory contains the\nversions of the packages installed on this host. A remote attacker can\nuse this information to mount further attacks.\nThis plugin has been deprecated. Webmirror3 (plugin ID 10662) will\nidentify a browsable directory.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://seclists.org/bugtraq/2000/Sep/435\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Use access restrictions for the /doc directory. If you use Apache\nyou might use this in your access.conf:\n\n <Directory /usr/doc>\n AllowOverride None\n order deny,allow\n deny from all\n allow from localhost\n </Directory>\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2000/09/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2000/09/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"find_service1.nasl\",\"doc_browsable.nasl\", \"http_version.nasl\");\n script_require_keys(\"www/doc_browseable\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\n# Deprecated.\nexit(0, \"This plugin has been deprecated. Webmirror3 (plugin ID 10662) will identify a browsable directory.\");\n\n#\n# The script code starts here\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\ndir = \"/doc/packages/\";\nr = http_send_recv3(method:\"GET\", item: dir, port:port);\nif (isnull(r)) exit(0);\n\ncode = r[0];\nbuf = strcat(r[1], '\\r\\n', r[2]);\nbuf = tolower(buf);\nmust_see = \"index of /doc\";\n\n if((ereg(string:code, pattern:\"^HTTP/[0-9]\\.[0-9] 200 \"))&&(must_see >< buf))\n {\n \tsecurity_warning(port);\n\tset_kb_item( name: 'www/'+port+'/content/directory_index', value: dir);\n }\n\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
