CVE-2007-6405 – Simple HTTPd 1.38 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2007-6405
Sergey Lyubka Simple HTTPD (shttpd) 1.38 and earlier on Windows allows remote attackers to download arbitrary CGI programs or scripts via a URI with an appended (1) '+' character, (2) '.' character, (3) %2e sequence (hex-encoded dot), or (4) hex-encoded character greater than 0x7f. NOTE: the %20 vector is already covered by CVE-2007-3407. Sergey Lyubka Simple HTTPD (shttpd) 1.38 y versiones anteriores en Windows permite a atacantes remotos descargar programas CGI ó scripts de su elección mediante un URI con un caracter añadido (1) '+', (2) '.', (3) secuencia de %2e (punto codificado en hexadecimal), ó (4) caracteres codificados en hexadecimal mayores que 0x7f. NOTA: el vector %20 se describe en CVE-2007-3407. • https://www.exploit-db.com/exploits/4700 http://aluigi.altervista.org/adv/shttpd-adv.txt http://osvdb.org/44119 http://securityreason.com/securityalert/3457 http://sourceforge.net/mailarchive/forum.php?thread_name=20071203130540.6e482c20.aluigi%40autistici.org&forum_name=shttpd-general http://www.securityfocus.com/archive/1/484761/100/0/threaded http://www.securityfocus.com/bid/26768 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2007-3541
https://notcve.org/view.php?id=CVE-2007-3541
Cross-site scripting (XSS) vulnerability in Kurinton sHTTPd 20070408 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en Kurinton sHTTPd 20070408 y anteriores permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores no especificados. • http://jvn.jp/jp/JVN%2374063879/index.html http://osvdb.org/36348 http://secunia.com/advisories/25835 http://www.kurinton.net/~snca/shttpdass.shtml http://www.securityfocus.com/bid/24683 http://www.vupen.com/english/advisories/2007/2352 https://exchange.xforce.ibmcloud.com/vulnerabilities/35111 •