Apache for Windows Multiple Forward Slash Directory Listing

medium Nessus Plugin ID 10440

Synopsis

It is possible to obtain the list of the contents of the remote directory.

Description

Certain versions of Apache for Win32 have a bug wherein remote users can list directory entries. Specifically, by appending multiple /'s to the HTTP GET command, the remote Apache server will list all files and subdirectories within the web root (as defined in httpd.conf).

Solution

Upgrade to the most recent version of Apache at www.apache.org

Plugin Details

Severity: Medium

ID: 10440

File Name: apache_slash.nasl

Version: 1.55

Type: remote

Family: Web Servers

Published: 6/13/2000

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.5

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:http_server

Required KB Items: installed_sw/Apache, Settings/ThoroughTests

Exploit Ease: No exploit is required

Vulnerability Publication Date: 5/30/2000

Reference Information

CVE: CVE-2000-0505, CVE-2001-0729

BID: 1284