Exploit Database - Logo

Apache 0.8.x/1.0.x / NCSA HTTPd 1.x - 'test-cgi' Directory Listing

EDB-ID: 20435 Author: @stake Published: 1996-04-01
CVE: CVE-1999-0070 Type: Remote Platform: CGI
Aliases: N/A Advisory/Source: Link Tags: N/A
E-DB Verified: Verified Exploit: Download Exploit Code Download / View Raw Vulnerable App: N/A
« Previous Exploit Next Exploit » 
source: http://www.securityfocus.com/bid/2003/info

NCSA HTTPd and comes with a CGI sample shell script, test-cgi, located by default in /cgi-bin. This script does not properly enclose an "ECHO" command in quotes, and as a result "shell expansion" of the * character can occur under some configurations. This allows a remote attacker to obtain file listings, by passing *, /*, /usr/* etc., as variables. The ECHO command expands the * to give a directory listing of the specified directory. This could be used to gain information to facilitate future attacks. This is identical to a problem with another sample script, nph-test-cgi. See references. 

http://target/cgi-bin/test-cgi?/*
http://target/cgi-bin/test-cgi?*
« Previous Exploit Next Exploit »

Related Exploits

Trying to match CVEs (1): CVE-1999-0070
Trying to match OSVDBs (1): 55371
Other Possible E-DB Search Terms: Apache 0.8.x/1.0.x / NCSA HTTPd 1.x,  Apache 0.8.x,  Apache
Date D V Title Author
2008-03-31 Verified Apache 2.0 mod_jk2 2.0.2 (Windows x86) - Remote Buffer OverflowHeretic2
2005-06-20 Verified Apache 2.0.49 - Arbitrary Long HTTP Headers Denial of ServiceQnix
2004-01-21 Verified Apache 2.0.4x mod_perl - File Descriptor Leakage (3)Steve Grubb
2010-10-26 Verified Apache 2.2 (Windows) - Local Denial of Servicefb1h2s
2015-12-18 Verified Apache 2.4.17 - Denial of ServicerUnViRuS
2016-02-01 Waiting verification Apache 2.4.7 + PHP 7.0.2 - 'openssl_seal()' Uninitialized Memory Code Executionakat1
2010-04-28 Verified Apache ActiveMQ 5.3 - 'admin/queueBrowse' Cross-Site Scriptingarun kethip...
2010-06-23 Verified Apache Axis2 1.x - '/axis2/axis2-admin' Session FixationTiago Ferre...
2016-06-14 Verified Apache Continuum - Arbitrary Command Execution (Metasploit)Metasploit
2016-06-06 Verified Apache Continuum 1.4.2 - Multiple VulnerabilitiesDavid Shanahan
2010-08-11 Waiting verification Apache JackRabbit 2.0.0 - webapp XPath InjectionADEO Security
2006-05-29 Verified Apache James 2.2 - SMTP Denial of Servicey3dips
2014-12-10 Verified Apache James Server 2.3.2 - Remote Command ExecutionJakub Palac...
2016-09-14 Waiting verification Apache Mina 2.0.13 - Remote Command ExecutionGregory Dra...
2008-07-18 Verified Apache mod_jk 1.2.19 (Windows x86) - Remote Buffer OverflowUnohope
2007-06-22 Verified Apache mod_jk 1.2.19/1.2.20 - Remote Buffer Overfloweliteboy
2012-08-23 Verified Apache Struts 2 - Skill Name Remote Code Executionkxlzx
2008-11-28 Verified Apache Tomcat (Windows) - 'runtime.getRuntime().exec()' Local Privilege EscalationAbysssec
2012-03-19 Verified Apache Tomcat - Account Scanner / 'PUT' Request Command Executionkingcope
2009-11-09 Verified Apache Tomcat - Cookie Quote Handling Remote Information DisclosureJohn Kew
2009-11-09 Verified Apache Tomcat - Form Authentication 'Username' EnumerationD. Matscheko
2009-09-02 Verified Apache Tomcat 3.2 - 404 Error Page Cross-Site ScriptingMustLive
2002-10-01 Verified Apache Tomcat 3.2 - Directory DisclosureHP Security
2009-12-01 Verified Apache Tomcat 3.2.1 - 404 Error Page Cross-Site ScriptingMustLive
2006-07-23 Verified Apache Tomcat < 5.5.17 - Remote Directory ListingScanAlert S...
Menu