Red Hat Apache Configuration Directory Listing Vulnerability

vendor:

Linux

by:

SecurityFocus

7.5

CVSS

HIGH

Directory Listing

539

CWE

Product Name: Linux

Affected Version From: Apache 2.0.40

Affected Version To: Apache 2.0.40

Patch Exists: YES

Related CWE: N/A

CPE: a:redhat:linux:9.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2003

Red Hat Apache Configuration Directory Listing Vulnerability

The Red Hat Apache configuration may allow an attacker to view directory listings when an attacker issues an HTTP GET request to a vulnerable server containing '//' characters, evading the rule desgined to prevent Apache from displaying directory listings with a request for '/'. The server is reported to disclose directory listings even when autoindex for the root directory has been disabled and a default welcome page is supposed to be displayed.

Mitigation:

Disable directory listing in Apache configuration.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/8898/info

The Red Hat Apache configuration may allow an attacker to view directory listings. The problem is reported to present itself when an attacker issues an HTTP GET request to a vulnerable server containing '//' characters, evading the rule desgined to prevent Apache from displaying directory listings with a request for '/'. The server is reported to disclose directory listings even when autoindex for the root directory has been disabled and a default welcome page is supposed to be displayed.

Successful exploits will disclose sensitive information that may be useful in further attacks against the system.

This problem has been reported to exist in Apache 2.0.40 shipped with Red Hat Linux 9.0. Other versions may be affected as well. 

http://ip_address:port//