Apache < 2.0.44 Illegal Character Default Script Mapping Bypass

This script is Copyright (C) 2003-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a request file disclosure
vulnerability.

Description :

The remote host appears to be running a version of Apache for Windows
that is older than 2.0.44. Such versions are reportedly affected by a
flaw that allows an attacker to read files that they should not have
access to by appending special characters to them.

See also :

http://marc.info/?l=apache-httpd-announce&m=104313442901017&w=2

Solution :

Upgrade to Apache 2.0.44 or newer.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 11210 (apache_win32_read_files.nasl)

Bugtraq ID: 6660

CVE ID: CVE-2003-0017