| VID |
22026 |
| Severity |
20 |
| Port |
80, ¡¦ |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The W3C httpd 3.0 web server (also known as CERN httpd) reveals the full path name of virtual web directories in error messages. An attacker can request a non-existent file in a URL, and the server will return the full path name to the directory referenced, such as the cgi-bin directory.
* References:
http://www.iss.net/security_center/static/4384.php
http://www.securityfocus.com/vdb/bottom.html?vid=936 |
| Recommendation |
Use Apache (www.apache.org) since CERN httpd is no longer maintained. As a workaround, create customized error messages, as described on the W3C web site (http://www.w3.org/Daemon/User/Error.html). |
| Related URL |
CVE-2000-0079 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
