CVE-1999-0045

Step 1: Identify the Vulnerable Script: The attacker identifies the presence of the nph-test-cgi script on the target web server, typically by scanning for common file locations or through directory listing vulnerabilities.

Step 2: Craft the Payload: The attacker constructs a URL that includes the path to the nph-test-cgi script and a crafted parameter specifying the file to be read. This parameter utilizes path traversal techniques (e.g., ../) to navigate outside the intended directory.

Step 3: Submit the Request: The attacker sends the crafted URL to the web server.

Step 4: Script Execution: The web server executes the nph-test-cgi script, passing the attacker-supplied file path as an argument.

Step 5: File Read and Disclosure: The nph-test-cgi script, lacking proper input validation, reads the contents of the specified file and returns it in the HTTP response, allowing the attacker to view the file's contents.

The vulnerability stems from a lack of input validation within the nph-test-cgi script. This script, often included with older web server installations, is designed for testing CGI functionality. It fails to properly sanitize user-supplied input, allowing an attacker to specify arbitrary file paths. The script then attempts to read and display the contents of these files, effectively bypassing security restrictions and enabling unauthorized access to sensitive information. The root cause is a simple path traversal vulnerability, where the script does not check or restrict the file paths provided by the user.