| VID |
22024 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache HTTP Server (win32) allows remote users to obtain a directory listing and retrieve files or scripts from the HTTP directory or subdirectory. By issuing a GET request with a certain number of slashes (/), a remote attacker can get a directory listing and gain access to files in that directory and its subdirectories. The number of slashes used in this attack differs from server to server. Different numbers of "/"s are required based on the length of the path to the DocumentRoot.
* References:
http://www.securityfocus.com/bid/1284
http://www.iss.net/security_center/static/4575.php
Vulnerable platforms:
Apache HTTP Server 1.3.x win32
IBM HTTP Server 1.3.3 win32
IBM HTTP Server 1.3.6.2 win32 |
| Recommendation |
Disabling the "Indexes" option works as a temporary workaround.
-- OR --
Upgrade to at least Apache version 1.3.14 or the latest version at www.apache.org. |
| Related URL |
CVE-2000-0505 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
