CVE-2000-0671
published 2000-07-21CVE-2000-0671: Roxen web server earlier than 2.0.69 allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a…
PriorityP426medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
7.86%
94.0th percentile
Roxen web server earlier than 2.0.69 allows allows remote attackers to bypass access restrictions, list directory contents, and read source code by inserting a null character (%00) to the URL.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| roxen | webserver | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
CWE
Improper Handling of URL Encoding (Hex Encoding)
mitre_cwe·CVSS 7.5
[HIGH] CWE-177 Improper Handling of URL Encoding (Hex Encoding)
CWE-177: Improper Handling of URL Encoding (Hex Encoding)
The product does not properly handle when all or part of an input has been URL encoded.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Unexpected State.
Potential Mitigations:
[Architecture and Design] Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.
[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including le
CWE
Improper Neutralization of Null Byte or NUL Character
mitre_cwe
CWE-158 Improper Neutralization of Null Byte or NUL Character
CWE-158: Improper Neutralization of Null Byte or NUL Character
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.
As data is parsed, an injected NUL character or null byte may cause the product to believe the input is terminated earlier than it actually is, or otherwise cause the input to be misinterpreted. This could then be used to inject potentially dangerous input that occurs after the null byte or otherwise bypass validation routines and other protection mechanisms.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity. Impact: Unexpected State.
Potential Mitigations:
Developers should anticipate that null characters or
http://archives.neohapsis.com/archives/bugtraq/2000-07/0307.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-07/0321.htmlhttp://www.securityfocus.com/bid/1510https://exchange.xforce.ibmcloud.com/vulnerabilities/4965http://archives.neohapsis.com/archives/bugtraq/2000-07/0307.htmlhttp://archives.neohapsis.com/archives/bugtraq/2000-07/0321.htmlhttp://www.securityfocus.com/bid/1510https://exchange.xforce.ibmcloud.com/vulnerabilities/4965
2000-07-21
Published