ID CVE-2002-0061
Summary Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 1.3.23
    cpe:2.3:a:apache:http_server:1.3.23
  • Apache Software Foundation Apache HTTP Server 2.0.28 Beta
    cpe:2.3:a:apache:http_server:2.0.28:beta
CVSS
Base: 7.5 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description Apache Win32 1.3.x/2.0.x Batch File Remote Command Execution Vulnerability. CVE-2002-0061. Remote exploit for windows platform
id EDB-ID:21350
last seen 2016-02-02
modified 2002-03-21
published 2002-03-21
reporter SPAX
source https://www.exploit-db.com/download/21350/
title Apache Win32 1.3.x/2.0.x Batch File Remote Command Execution Vulnerability
nessus via4
NASL family Web Servers
NASL id APACHE_BAT_EXEC.NASL
description Apache for Win32 prior to 1.3.24 and 2.0.x prior to 2.0.34-beta is shipped with a default script, '/cgi-bin/test-cgi.bat', that allows an attacker to remotely execute arbitrary commands on the host subject to the permissions of the affected application. An attacker can send a pipe character '|' with commands appended as parameters, which are then executed by Apache.
last seen 2019-02-21
modified 2018-11-15
plugin id 10938
published 2002-04-18
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=10938
title Apache on Windows < 1.3.24 / 2.0.x < 2.0.34 DOS Batch File Arbitrary Command Execution
packetstorm via4
data source https://packetstormsecurity.com/files/download/25903/Apache.Win32.txt
id PACKETSTORM:25903
last seen 2016-12-05
published 2002-03-22
reporter Ory Segal
source https://packetstormsecurity.com/files/25903/Apache.Win32.txt.html
title Apache.Win32.txt
refmap via4
bid 4335
bugtraq
  • 20020321 Vulnerability in Apache for Win32 batch file processing - Remote command execution
  • 20020325 Apache 1.3.24 Released! (fwd)
confirm http://www.apacheweek.com/issues/02-03-29#apache1324
xf apache-dos-batch-command-execution(8589)
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 1.3.24: http://httpd.apache.org/security/vulnerabilities_13.html
Last major update 17-10-2016 - 22:15
Published 21-03-2002 - 00:00
Back to Top