vendor:
httpd and Apache Web Server
by:
SecurityFocus
7,5
CVSS
HIGH
ScriptAlias Function Vulnerability
20
CWE
Product Name: httpd and Apache Web Server
Affected Version From: NSCA httpd 1.5 and Apache Web Server 1.0
Affected Version To: NSCA httpd 1.5 and Apache Web Server 1.0
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2001
NSCA httpd and Apache Web Server ScriptAlias Function Vulnerability
NSCA httpd prior to and including 1.5 and Apache Web Server prior to 1.0 contain a bug in the ScriptAlias function that allows remote users to view the source of CGI programs on the web server, if a ScriptAlias directory is defined under DocumentRoot. A full listing of the CGI-BIN directory can be obtained if indexing is turned on, as well. This is accomplished by adding multiple forward slashes in the URL. The web server fails to recognize that a ScriptAlias directory is actually redirected to a CGI directory when this syntax is used, and returns the text of the script instead of properly executing it. This may allow an attacker to audit scripts for vulnerabilities, retrieve proprietary information, etc.
Mitigation:
Disable ScriptAlias or use a different web server.
