Apache for Windows Multiple Forward Slash Directory Listing

Medium Nessus Plugin ID 10440


It is possible to obtain the list of the contents of the remote directory.


Certain versions of Apache for Win32 have a bug wherein remote users can list directory entries. Specifically, by appending multiple /'s to the HTTP GET command, the remote Apache server will list all files and subdirectories within the web root (as defined in httpd.conf).


Upgrade to the most recent version of Apache at www.apache.org

Plugin Details

Severity: Medium

ID: 10440

File Name: apache_slash.nasl

Version: $Revision: 1.51 $

Type: remote

Family: Web Servers

Published: 2000/06/13

Modified: 2018/01/23

Dependencies: 48204

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:F/RL:W/RC:ND


Base Score: 5.3

Temporal Score: 5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:W/RC:X

Vulnerability Information

CPE: cpe:/a:apache:http_server

Required KB Items: installed_sw/Apache, Settings/ThoroughTests

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2000/05/30

Reference Information

CVE: CVE-2000-0505, CVE-2001-0729

BID: 1284

OSVDB: 342, 9701