ID CVE-2003-0017
Summary Apache 2.0 before 2.0.44 on Windows platforms allows remote attackers to obtain certain files via an HTTP request that ends in certain illegal characters such as ">", which causes a different filename to be processed and served.
References
Vulnerable Configurations
  • Apache Software Foundation Apache HTTP Server 2.0.36
    cpe:2.3:a:apache:http_server:2.0.36
  • Apache Software Foundation Apache HTTP Server 2.0.37
    cpe:2.3:a:apache:http_server:2.0.37
  • Apache Software Foundation Apache HTTP Server 2.0.38
    cpe:2.3:a:apache:http_server:2.0.38
  • Apache Software Foundation Apache HTTP Server 2.0.39
    cpe:2.3:a:apache:http_server:2.0.39
  • Apache Software Foundation Apache HTTP Server 2.0.40
    cpe:2.3:a:apache:http_server:2.0.40
  • Apache Software Foundation Apache HTTP Server 2.0.41
    cpe:2.3:a:apache:http_server:2.0.41
  • Apache Software Foundation Apache HTTP Server 2.0.42
    cpe:2.3:a:apache:http_server:2.0.42
  • Apache Software Foundation Apache HTTP Server 2.0.43
    cpe:2.3:a:apache:http_server:2.0.43
CVSS
Base: 5.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
NASL family Web Servers
NASL id APACHE_WIN32_READ_FILES.NASL
description The remote host appears to be running a version of Apache for Windows that is older than 2.0.44. Such versions are reportedly affected by a flaw that allows an attacker to read files that they should not have access to by appending special characters to them.
last seen 2019-01-16
modified 2018-11-15
plugin id 11210
published 2003-01-22
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=11210
title Apache < 2.0.44 Illegal Character Default Script Mapping Bypass
refmap via4
confirm http://marc.info/?l=apache-httpd-announce&m=104313442901017&w=2
statements via4
contributor Mark J Cox
lastmodified 2008-07-02
organization Apache
statement Fixed in Apache HTTP Server 2.0.44: http://httpd.apache.org/security/vulnerabilities_20.html
Last major update 17-10-2016 - 22:28
Published 07-02-2003 - 00:00
Back to Top