Vulnerabilities > CVE-2001-0922 - Unspecified vulnerability in SUN Netdynamics

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
sun
nessus
NVD
Published: 2001-11-26
Updated: 2017-12-19

Summary

ndcgi.exe in Netdynamics 4.x through 5.x, and possibly earlier versions, allows remote attackers to steal session IDs and hijack user sessions by reading the SPIDERSESSION and uniqueValue variables from the login field, then using those variables after the next user logs in.

Vulnerable Configurations

Part Description Count
Application
Sun
5

Nessus

NASL familyCGI abuses
NASL idNDCGI.NASL
descriptionThe file ndcgi.exe exists on this web server. Some versions of this file are vulnerable to remote exploit. As Nessus solely relied on the existence of the ndcgi.exe file, this might be a false positive
last seen2020-06-01
modified2020-06-02
plugin id11730
published2003-06-11
reporterThis script is Copyright (C) 2003-2018 John Lampe
sourcehttps://www.tenable.com/plugins/nessus/11730
titleNetdynamics ndcgi.exe Previous User Session Replay
code
#
# This script was written by John [email protected]
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - Revised plugin title (4/20/009)

include("compat.inc");

if (description)
{
 script_id(11730);
 script_version("1.24");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2001-0922");
 script_bugtraq_id(3583);

 script_name(english:"Netdynamics ndcgi.exe Previous User Session Replay");
 script_summary(english:"Checks for the ndcgi.exe file");

 script_set_attribute(attribute:"synopsis", value:"User sessions may be hijacked on the remote host.");
 script_set_attribute(attribute:"description", value:
"The file ndcgi.exe exists on this web server. Some versions of this
file are vulnerable to remote exploit.

As Nessus solely relied on the existence of the ndcgi.exe file, this
might be a false positive");
 script_set_attribute(attribute:"solution", value:"Remove it from /cgi-bin.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:ND");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=100681274915525&w=2");

 script_set_attribute(attribute:"vuln_publication_date", value:"2001/11/26");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/11");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2003-2020 John Lampe");
 script_family(english:"CGI abuses");

 script_dependencie("http_version.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/www", 80);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);


port = get_http_port(default:80, embedded:TRUE);

if(!get_port_state(port))exit(0);

flag = 0;
directory = "";

no404 = get_kb_item("www/no404/" + port );

foreach dir (cgi_dirs()) {
   if(is_cgi_installed_ka(item:string(dir, "/ndcgi.exe"), port:port)) {
   	if(no404 && is_cgi_installed_ka(item:string(dir, "/nessus" + rand() + ".exe"), port:port)) exit(0);
  	flag = 1;
  	directory = dir;
  	break;
  }
}

if (flag) security_hole(port);

References