Vulnerabilities > CVE-2006-0819 - Input Validation vulnerability in Gnome Dwarf Http Server 1.3.2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
NONE Availability impact
NONE Summary
Dwarf HTTP Server 1.3.2 allows remote attackers to obtain the source code of JSP files via (1) dot, (2) space, (3) slash, or (4) NULL characters in the filename extension of an HTTP request.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
| NASL family | CGI abuses |
| NASL id | DWARF_HTTP_133.NASL |
| description | The remote host is running Dwarf HTTP Server, a full-featured, Java-based web server. According to its banner, the version of Dwarf HTTP Server on the remote host reportedly fails to properly validate filename extensions in URLs. A remote attacker may be able to leverage this issue to disclose the source of scripts hosted by the affected application using specially crafted requests with dot, space, slash, and NULL characters. In addition, the web server also reportedly fails to sanitize requests before returning error pages, which can be exploited to conduct cross-site scripting attacks. |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 21092 |
| published | 2006-03-17 |
| reporter | This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/21092 |
| title | Dwarf HTTP Server < 1.3.3 Multiple Remote Vulnerabilities (XSS, Disc) |
| code | |
References
- http://secunia.com/advisories/18962
- http://secunia.com/secunia_research/2006-13/advisory
- http://securityreason.com/securityalert/576
- http://securitytracker.com/id?1015779
- http://www.osvdb.org/23836
- http://www.securityfocus.com/archive/1/427478/100/0/threaded
- http://www.securityfocus.com/bid/17123
- http://www.vupen.com/english/advisories/2006/0937
- https://exchange.xforce.ibmcloud.com/vulnerabilities/25178