source: http://www.securityfocus.com/bid/1510/info
If a request containing the null character (%00) is made to the Roxen Web Server, the server will return directory contents, and the source of unparsed scripts and html pages.
For example, a request to
http://www.server.com/%00
Will return the contents of the server's document root directory.
Versions of Roxen WebServer 2.0 prior to 2.0.69 are affected.
{"published": "2000-07-21T00:00:00", "id": "EDB-ID:20104", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "history": [], "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "hash": "fab727b636e614bac3bbf074eb896ea6b68e13cb0713b16ec9fed880beeb2a71", "description": "Roxen WebServer 2.0 .X %00 Request File/Directory Disclosure Vulnerability. CVE-2000-0671. Remote exploits for multiple platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/20104/", "lastseen": "2016-02-02T13:29:24", "edition": 1, "title": "Roxen WebServer 2.0.x - %00 Request File/Directory Disclosure Vulnerability", "osvdbidlist": ["378"], "modified": "2000-07-21T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": ["CVE-2000-0671"], "sourceHref": "https://www.exploit-db.com/download/20104/", "references": [], "reporter": "zorgon", "sourceData": "source: http://www.securityfocus.com/bid/1510/info\r\n\r\nIf a request containing the null character (%00) is made to the Roxen Web Server, the server will return directory contents, and the source of unparsed scripts and html pages.\r\n\r\nFor example, a request to\r\nhttp://www.server.com/%00\r\n\r\nWill return the contents of the server's document root directory.\r\n\r\nVersions of Roxen WebServer 2.0 prior to 2.0.69 are affected. \r\n\r\n", "objectVersion": "1.0"}
{"cve": [{"lastseen": "2017-10-10T10:34:37", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/4965", "http://archives.neohapsis.com/archives/bugtraq/2000-07/0321.html", "http://archives.neohapsis.com/archives/bugtraq/2000-07/0307.html", "http://www.securityfocus.com/bid/1510"], "description": "Roxen web server earlier than 2.0.69 allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) to the URL.", "edition": 2, "reporter": "NVD", "published": "2000-07-21T00:00:00", "title": "CVE-2000-0671", "type": "cve", "enchantments": {"score": {"modified": "2017-10-10T10:34:37", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2000-0671"], "scanner": [], "modified": "2017-10-09T21:29:15", "cpe": ["cpe:/a:roxen:webserver:2.0.x"], "id": "CVE-2000-0671", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0671", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "references": [], "edition": 1, "description": "# No description provided by the source\n\n## References:\nSnort Signature ID: 1109\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-07/0321.html\nISS X-Force ID: 4965\n[CVE-2000-0671](https://vulners.com/cve/CVE-2000-0671)\nBugtraq ID: 1510\n", "reporter": "OSVDB", "published": "2000-07-22T00:00:00", "type": "osvdb", "title": "Roxen Web Server /%00/ Encoded Request Forced Directory Listing", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2000-0671"], "modified": "2000-07-22T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:378", "id": "OSVDB:378", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2018-09-01T23:52:23", "references": ["http://archives.neohapsis.com/archives/bugtraq/2000-07/0307.html"], "pluginID": "10479", "description": "The version of Roxen Web Server running on the remote host is affected by an information disclosure vulnerability. An unauthenticated, remote attacker can exploit this, by using a crafted URL request with '/%00/' appended to the URI, to display a listing of a remote directory, which may contain sensitive files.", "edition": 7, "reporter": "Tenable", "published": "2000-07-22T00:00:00", "title": "Roxen Web Server /%00/ Encoded Request Forced Directory Listing", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-2000-0671"], "modified": "2018-07-27T00:00:00", "cpe": ["cpe:/a:roxen:webserver"], "id": "ROXEN_PERCENT.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10479", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(10479);\n script_version (\"1.27\");\n script_cvs_date(\"Date: 2018/07/27 18:38:15\");\n\n script_cve_id(\"CVE-2000-0671\");\n script_bugtraq_id(1510);\n script_xref(name:\"EDB-ID\", value:\"20104\");\n\n script_name(english:\"Roxen Web Server /%00/ Encoded Request Forced Directory Listing\");\n script_summary(english:\"Attempts to find a directory listing.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by an information disclosure \nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Roxen Web Server running on the remote host is affected\nby an information disclosure vulnerability. An unauthenticated, remote\nattacker can exploit this, by using a crafted URL request with '/%00/'\nappended to the URI, to display a listing of a remote directory, which\nmay contain sensitive files.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://archives.neohapsis.com/archives/bugtraq/2000-07/0307.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the latest version of Roxen.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2000/07/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2000/07/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:roxen:webserver\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/roxen\");\n\n exit(0);\n}\n\n#\n# The script code starts here\n#\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n# Make sure this is Roxen.\nget_kb_item_or_exit('www/roxen');\n\nport = get_http_port(default:80);\n\nr = http_send_recv3(port:port, method:\"GET\", item:\"/%00/\", exit_on_fail:TRUE);\nseek = \"Directory listing of\";\ndata = r[2];\nif (seek >< data)\n{\n output = strstr(data, \"Directory listing\");\n if (empty_or_null(output)) output = data;\n\n security_report_v4(\n port : port,\n generic : TRUE,\n severity : SECURITY_WARNING,\n request : make_list(build_url(qs:\"/%00/\", port:port)),\n output : output\n );\n exit(0);\n}\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Roxen\", port);\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
