Sid 1-1156

Message

SERVER-WEBAPP apache directory disclosure attempt

Summary

The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) modnegotiation, (2) moddir, or (3) mod_autoindex.

Impact

CVSS base score 5.0 CVSS impact score 2.9 CVSS exploitability score 10.0 confidentialityImpact PARTIAL integrityImpact NONE availabilityImpact NONE

CVE-2001-0925:

CVSS base score 5.0

CVSS impact score 2.9

CVSS exploitability score 10.0

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

Detailed information

CVE-2001-0925: The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) modnegotiation, (2) moddir, or (3) mod_autoindex.

Affected systems

• apache http_server 1.3.19

Ease of attack

CVE-2001-0925:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

False positives

None known

False negatives

None known

Corrective action

Upgrade to the latest non-affected version of the software.

Apply the appropriate vendor supplied patches.

Contributors

• Talos research team.
• This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology.
• For more information see nvd.

Additional References