Vulnerabilities > CVE-2002-0266 - Path Disclosure vulnerability in Thunderstone Software Texis 3.0

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
thunderstone-software
nessus
exploit available
NVD
Published: 2002-05-29
Updated: 2016-10-18

Summary

Thunderstone Texis CGI script allows remote attackers to obtain the full path of the web root via a request for a nonexistent file, which generates an error message that includes the full pathname.

Vulnerable Configurations

Part Description Count
Application
Thunderstone_Software
1

Exploit-Db

descriptionThunderstone TEXIS 3.0 Path Disclosure Vulnerability. CVE-2002-0266 . Remote exploits for multiple platform
idEDB-ID:21276
last seen2016-02-02
modified2002-02-06
published2002-02-06
reporterphinegeek
sourcehttps://www.exploit-db.com/download/21276/
titleThunderstone TEXIS 3.0 Path Disclosure Vulnerability

Nessus

  • NASL familyWeb Servers
    NASL id404_PATH_DISCLOSURE.NASL
    descriptionThe remote web server reveals the physical path of the webroot when a nonexistent page is requested. While printing errors to the output is useful for debugging applications, this feature should be disabled on production servers.
    last seen2020-06-01
    modified2020-06-02
    plugin id11714
    published2003-06-11
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11714
    titleNonexistent Page (404) Physical Path Disclosure
    code
    #
# (C) Tenable Network Security, Inc.
#

# Vulnerable servers:
# Pi3Web/2.0.0
#
# References
# Date:  10 Mar 2002 04:23:45 -0000
# From: "Tekno pHReak" <[email protected]>
# To: [email protected]
# Subject: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln
#
# Date: Wed, 14 Aug 2002 23:40:55 +0400
# From:"D4rkGr3y" <[email protected]>
# To:[email protected], [email protected]
# Subject: new bugs in MyWebServer
#

include("compat.inc");

if(description)
{
  script_id(11714);
  script_version("1.24");
  script_cvs_date("Date: 2018/06/27 18:42:26");

 # Note: the way the test is made will lead to detecting some
 # path disclosure issues which might be checked by other plugins 
 # (like #11226: Oracle9i jsp error). I have reviewed the reported
 # "path disclosure" errors from bugtraq and the following list
 # includes bugs which will be triggered by the NASL script. Some
 # other "path disclosure" bugs in webs ervers might not be triggered
 # since they might depend on some specific condition (execution
 # of a cgi, options..)
 # jfs - December 2003

  script_cve_id("CVE-2001-1372", "CVE-2002-0266", "CVE-2002-2008", "CVE-2003-0456");
  script_bugtraq_id(3341, 4035, 4261, 5054, 8075);
  script_xref(name:"CERT", value:"278971");
  script_xref(name:"EDB-ID", value:"21276");


  script_name(english:"Nonexistent Page (404) Physical Path Disclosure");
  script_summary(english:"Tests for a generic path disclosure vulnerability.");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by an information disclosure
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote web server reveals the physical path of the webroot when a
nonexistent page is requested.

While printing errors to the output is useful for debugging
applications, this feature should be disabled on production servers.");
  # https://web.archive.org/web/20150509055227/http://archives.neohapsis.com/archives/bugtraq/2002-02/0003.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a3e58d0b");
  # https://web.archive.org/web/20120713111456/http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0002.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9c4d1560");
  # https://web.archive.org/web/20120714023155/http://archives.neohapsis.com/archives/bugtraq/2002-06/0225.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?67b9e782");
  script_set_attribute(attribute:"solution", value:
"Upgrade the web server to the latest version. Alternatively,
reconfigure the web server to disable debug reporting.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(200);

  script_set_attribute(attribute:"vuln_publication_date", value:"2002/02/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2003/06/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
 
  script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
  script_family(english: "Web Servers");

  script_dependencie("iis_detailed_error.nasl");
  script_require_ports("Services/www", 80);
  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

ext_list = make_list(
  "", ".", 
  ".asp", ".aspx", 
  ".html", ".htm", ".shtm", ".shtml", 
  ".jsp", ".jspx", 
  ".php", ".php3", ".php4", ".php5", ".php6", 
  ".cfm"
);

port = get_http_port(default:80);
if (get_kb_item("www/"+port+"/iis_detailed_errors"))  exit(0, "The web server listening on port "+port+" appears to be an instance of IIS that returns detailed error messages.");

foreach ext (ext_list)
{
  filename = "niet" + rand() + ext;
  url = '/' + filename;
 
  res = test_generic_path_disclosure(item: url, 
                                     method: "GET", 
                                     port: port, 
                                     filename: filename, 
                                     fetch404: TRUE, 
                                     exit_on_fail: TRUE);

  if(res) 
  {
    set_kb_item(name:"www/"+port+"/generic_path_disclosure", value:TRUE);
    exit(0);
  }
}
exit(0, "The web server listening on port " + port + " is not affected.");
  • NASL familyCGI abuses
    NASL idTEXIS_PATH_DISCLOSURE.NASL
    descriptionThe Thunderstone Software TEXIS application running on the remote host is affected by an information disclosure vulnerability that allows an unauthenticated, remote attacker to obtain the full path of the web root directory by making a specially crafted request for a nonexistent file.
    last seen2020-06-01
    modified2020-06-02
    plugin id11401
    published2003-03-15
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11401
    titleThunderstone Software TEXIS Nonexistent File Request Path Disclosure
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if(description)
{
  script_id(11401);
  script_version ("1.22");
  script_cvs_date("Date: 2018/11/15 20:50:19");

  script_cve_id("CVE-2002-0266");
  script_bugtraq_id(4035);
  script_xref(name:"EDB-ID", value:"21276");

  script_name(english:"Thunderstone Software TEXIS Nonexistent File Request Path Disclosure");
  script_summary(english:"Checks for TEXIS path disclosure.");

  script_set_attribute(attribute:"synopsis", value:
"A CGI application running on the remote host is affected by an
information disclosure vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Thunderstone Software TEXIS application running on the remote
host is affected by an information disclosure vulnerability that
allows an unauthenticated, remote attacker to obtain the full path of
the web root directory by making a specially crafted request for a
nonexistent file.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2002/Feb/66");
  script_set_attribute(attribute:"solution", value:
"Upgrade Thunderstone Software TEXIS to the latest version.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2002/02/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:thunderstone_software:texis");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");

  script_dependencie("http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");

 exit(0);
}

#
# The script code starts here
#
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

vuln = FALSE;
files = make_list("texis.exe", "texis.cgi", "texis");
file404 = "/" + rand_str() + "-" + SCRIPT_NAME - ".nasl";
file_regex = "Can't open source file (.*): No such file";

foreach dir (cgi_dirs())
{
  foreach file (files)
  {
    url = "/" + file + file404;
    res = http_send_recv3(
      method : "GET",
      item   : dir + url,
      port   : port,
      exit_on_fail : TRUE
    );
    if(
      ("Texis Web Script" >< res[2]) &&
      egrep(pattern:file_regex, string:res[2], icase:TRUE)
    )
    {
      vuln = TRUE;
      break;
    }
  }
}
if (vuln)
{
  output = strstr(res[2], "Texis Web Script");
  if (empty_or_null(output)) output = res[2];

  security_report_v4(
    port     : port,
    severity : SECURITY_WARNING,
    generic  : TRUE,
    request  : make_list(build_url(qs:dir + url, port:port)),
    output   : chomp(output)
  );
  exit(0);
}
else
  audit(AUDIT_WEB_SERVER_NOT_AFFECTED, port);
  • NASL familyCGI abuses
    NASL idTEXIS_INFO_DISCLOSURE.NASL
    descriptionThe remote installation of Texis can be abused to disclose potentially sensitive information about the remote host, such as its internal IP address and the path to various components (eg, cmd.exe).
    last seen2020-06-01
    modified2020-06-02
    plugin id11400
    published2003-03-15
    reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/11400
    titleThunderstone Software Texis Crafted Request Information Disclosure
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");


# Date: Fri, 14 Mar 2003 14:39:36 -0800
# To: [email protected]
# Subject: @(#)Mordred Labs advisory - Texis sensitive information leak
# From: [email protected]
#
# This is NOT CVE-2002-0266/BID4035 !


if(description)
{
 script_id(11400);
 script_version ("1.22");

 script_bugtraq_id(7105);
 
 script_name(english:"Thunderstone Software Texis Crafted Request Information Disclosure");
 script_summary(english:"Checks for texis.exe");
 
 script_set_attribute(attribute:"synopsis",value:
"The remote web server contains a CGI script that is susceptible to an
information disclosure attack." );
 script_set_attribute(attribute:"description", value:
"The remote installation of Texis can be abused to disclose potentially
sensitive information about the remote host, such as its internal IP
address and the path to various components (eg, cmd.exe)." );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://seclists.org/bugtraq/2003/Mar/206"
 );
 script_set_attribute(
  attribute:"see_also", 
  value:"https://seclists.org/bugtraq/2003/Mar/247"
 );
 script_set_attribute(
  attribute:"solution", 
  value:"Contact Thunderstone tech support for a patch."
 );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2003/03/18");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/15");
 script_cvs_date("Date: 2018/11/15 20:50:19");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_end_attributes();

 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");
 script_family(english:"CGI abuses");
 script_dependencie("find_service1.nasl", "http_version.nasl");
 script_require_ports("Services/www", 80);
 script_exclude_keys("Settings/disable_cgi_scanning");
 
 exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

foreach d ( cgi_dirs() )
{
  url = string(d, "/texis.exe/?-dump");
  w = http_send_recv3(method:"GET", item:url, port:port);
  if (isnull(w)) exit (1, "The web server failed to respond.");
  res = strcat(w[0], w[1], '\r\n', w[2]);

  if("COMPUTERNAME" >< res )
  {
    if (report_verbosity > 0)
    {
      report = string(
        "\n",
        "Nessus was able to exploit the issue using the following URL :\n",
        "\n",
        "  ", build_url(port:port, qs:url), "\n"
      );
      security_warning(port:port, extra:report);
    }
    else security_warning(port);
    exit(0);
  }
}

References