HTTP SERVER (httpsv1.6.2) source code disclosure

2007.06.27

Credit: imprili

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2007-3327

CWE: CWE-Other

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

HTTP SERVER (httpsv1.6.2) source code disclosure
http://httpsv.sourceforge.net/

The vulnerability is caused due to a parser error of the filename extension supplied by the user in the URL.
This can be exploited to retrieve the source code of script files.

POC: http://127.0.0.1/test.htm%20

Bug Found By: Prili - imprili[at]gmail.com

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

HTTP SERVER (httpsv1.6.2) source code disclosure

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.