CVE-2001-0925: Path Traversal
First published: Mon Mar 12 2001(Updated: )
The default installation of Apache before 1.3.19 allows remote attackers to list directories instead of the multiview index.html file via an HTTP request for a path that contains many / (slash) characters, which causes the path to be mishandled by (1) mod_negotiation, (2) mod_dir, or (3) mod_autoindex.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Http Server | =1.3.11 | |
| Apache Http Server | =1.3.12 | |
| Apache Http Server | =1.3.14 | |
| Apache Http Server | =1.3.17 | |
| Debian Linux | =2.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.apacheweek.com/features/security-13
- http://www.debian.org/security/2001/dsa-067
- http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-077.php3
- http://www.linuxsecurity.com/advisories/other_advisory-1452.html
- http://www.securityfocus.com/archive/1/168497
- http://www.securityfocus.com/archive/1/178066
- http://www.securityfocus.com/archive/1/193081
- http://www.securityfocus.com/bid/2503
- http://www.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-01-27&end=2002-02-02&mid=199857&threads=1
- https://exchange.xforce.ibmcloud.com/vulnerabilities/6921
- https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5419c9ba0951ef73a655362403d12bb8d10fab38274deb3f005816f5@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf2f0f3611f937cf6cfb3b4fe4a67f69885855126110e1e3f2fb2728e@%3Ccvs.httpd.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2001-0925?
CVE-2001-0925 has a medium severity rating as it allows directory listing, which can expose sensitive information.
How do I fix CVE-2001-0925?
To fix CVE-2001-0925, upgrade the Apache HTTP Server to version 1.3.19 or later.
What versions of Apache are affected by CVE-2001-0925?
CVE-2001-0925 affects Apache HTTP Server versions 1.3.11 through 1.3.17.
Can CVE-2001-0925 be exploited remotely?
Yes, CVE-2001-0925 can be exploited remotely by attackers to list directories.
What modules are involved in CVE-2001-0925?
CVE-2001-0925 involves the mod_negotiation, mod_dir, and mod_autoindex modules of Apache.
- agent/type
- agent/references
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/event
- agent/description
- agent/source
- agent/author
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- collector/nvd-index
- vendor/apache
- canonical/apache http server
- version/apache http server/1.3.11
- version/apache http server/1.3.12
- version/apache http server/1.3.14
- version/apache http server/1.3.17
- vendor/debian
- canonical/debian linux
- version/debian linux/2.2