Vulnerabilities > CVE-2000-1024 - Unspecified vulnerability in Unify Ewave Servletexec 3.0C

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
unify
critical
nessus
NVD
Published: 2000-12-11
Updated: 2017-10-10

Summary

eWave ServletExec 3.0C and earlier does not restrict access to the UploadServlet Java/JSP servlet, which allows remote attackers to upload files and execute arbitrary commands.

Vulnerable Configurations

Part Description Count
Application
Unify
1

Nessus

NASL familyCGI abuses
NASL idEWAVE_SERVLET_UPLOAD.NASL
descriptionServletExec has a servlet called
last seen2020-06-01
modified2020-06-02
plugin id10570
published2000-12-19
reporterThis script is Copyright (C) 2000-2018 Matt Moore
sourcehttps://www.tenable.com/plugins/nessus/10570
titleUnify eWave ServletExec 3.0C UploadServlet Unprivileged File Upload
code
#
# This script was written by Matt Moore <[email protected]>
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - Revised plugin title (4/9/2009)


include("compat.inc");

if (description)
{
 script_id(10570);
 script_version("1.24");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2000-1024");
 script_bugtraq_id(1876);

 script_name(english:"Unify eWave ServletExec 3.0C UploadServlet Unprivileged File Upload");
 script_summary(english:"Unify eWave ServletExec 3.0C file upload");

 script_set_attribute(attribute:"synopsis", value:"Arbitrary files may be overwritten on the remote host.");
 script_set_attribute(attribute:"description", value:
"ServletExec has a servlet called 'UploadServlet' in its server side
classes. UploadServlet, when invokable, allows an attacker to upload
any file to any directory on the server. The uploaded file may have
code that can later be executed on the server, leading to remote
command execution.");
 script_set_attribute(attribute:"solution", value:"Remove it.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

 script_set_attribute(attribute:"vuln_publication_date", value:"2000/10/31");
 script_set_attribute(attribute:"plugin_publication_date", value:"2000/12/19");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2000-2020 Matt Moore");
 script_family(english:"CGI abuses");

 script_dependencie("http_version.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/www", 80);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);


port = get_http_port(default:80, embedded:TRUE);
res = is_cgi_installed_ka(item:"/servlet/nessus." + string(rand(),rand(), rand()), port:port);
if ( res ) exit(0);

res = is_cgi_installed_ka(item:"/servlet/com.unify.servletexec.UploadServlet", port:port);
if(res)
{
 security_hole(port);
}

References