Zeus Technologies Zeus Web Server CGI Source Disclosure

2000-02-08T00:00:00
ID OSVDB:254
Type osvdb
Reporter Vanja Hrustic(vanja@relaygroup.com)
Modified 2000-02-08T00:00:00

Description

Vulnerability Description

Zeus Web Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when adding specific characters at the end of an URL pointing to a CGI script, which will disclose the source code of the CGI script resulting in a loss of confidentiality.

Technical Description

The following suffixing characters have been reported to shows the vulnerability : %G0 %W0 %EW %FG %UW %VG %00

Solution Description

Upgrade to version 3.3.5a or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Zeus Web Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when adding specific characters at the end of an URL pointing to a CGI script, which will disclose the source code of the CGI script resulting in a loss of confidentiality.

References:

Mail List Post: http://archive.cert.uni-stuttgart.de/archive/bugtraq/2000/02/msg00135.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-02/0072.html ISS X-Force ID: 3982 ISS X-Force ID: 7950 CVE-2000-0149 Bugtraq ID: 977