header-logo
Suggest Exploit
explore-vulnerabilities

Explore Vulnerabilities

Version
Year

Explore all Exploits:

Microsoft IIS/PWS Escaped Characters Decoding Command Execution Vulnerability

When IIS receives a CGI filename request, it automatically performs two actions before completing the request: IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.

IISEX by HuXfLuX

When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.

Microsoft IIS CGI Filename Decode Error

When IIS receives a CGI filename request, it automatically performs two actions before completing the request: 1. IIS decodes the filename to determine the filetype and the legitimacy of the file. IIS then carries out a security check. 2. When the security check is completed, IIS decodes CGI parameters. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.

ElectroComm Telnet Server Denial of Service Vulnerability

An attacker can execute a denial of service attack on ElectroComm by submitting two groups of approximately 160,000 characters to the target's telnet port. This increases CPU utilization to 100%, then crashes the service, which requires a restart.

A1Stats Path Disclosure Vulnerability

A1Stats is a CGI product by Drummon Miles used to report on a website's visitor traffic. Versions of this product fail to properly validate user-supplied input submitted as querystrings to the A1Stats script. An attacker can compose a long path including '/../' sequences, and submit it as a file request to the product's built-in webserver. 'dot dot' sequences will not be filtered from the path, permitting the attacker to specify files outside the directory tree normally available to users. This can permit disclosure of confidential data and sensitive system files which, if properly exploited, could lead to further compromises of the host's security. Additionally, by appending a properly formatted echo command argumented by a filename writable by the webserver, this flaw allows the attacker to overwrite this file with A1Stats' output.

Directory Traversal in Jana Server

It is possible for a remote user to traverse the directories of a host running Jana Server. Submitting a specially crafted URL using hex encoded 'double dot' sequences will reveal arbitrary directories. In addition to revealing directories, this vulnerability could enable a user to obtain the contents of files readable by the webserver user.

Spynet Chat Server Denial of Service Vulnerability

A problem in the package could allow remote users to crash the chat server. Upon receiving 100 connection requests from a host within a short period of time, and then receiving a message from same host via the chat client, the chat server exits abnormally. A manual restart is required to resume service.

Directory Traversal Vulnerability in MP3Mystic Server

A vulnerability exists in Jason Rahaim's MP3Mystic Server which allows a remote user to traverse the directories of a target host. This may lead to the disclosure of file and directory contents. Arbitrary directories can be accessed through the inclusion of double dot '../' sequences when submitting a URL.

Recent Exploits: