Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbStefan BagdohnEDB-ID:21800
HistorySep 17, 2002 - 12:00 a.m.

DB4Web 3.4/3.6 - File Disclosure

2002-09-1700:00:00
Stefan Bagdohn
www.exploit-db.com
18

AI Score

7.4

Confidence

Low

JSON
source: https://www.securityfocus.com/bid/5723/info

DB4Web is an application server that allows read and write access to relational databases and other information sources, via the web. The application is available for Windows, Linux, and various Unix platforms.

A directory traversal bug exists in DB4Web.

By passing a maliciously crafted query to the application, an attacker can potentially gain access to arbitrary system files. This is due to the application insufficiently validating the user supplied input.

On MS Windows systems the URL to retrieve the boot.ini file would
look like:
http://db4web.server.system/scripts/db4web_c.exe/dbdirname/c%3A%5Cboot.ini

On Linux/Unix servers the following URL will show /etc/hosts:
http://db4web.server.system/cgi-bin/db4web_c/dbdirname//etc/hosts

Related

cvelist 1
openvas 2
cve 1
nvd 1
nessus 1
cvelist
cvelist
CVE-2002-1483
2003-03-18 05:00:00
openvas
openvas
DB4Web directory traversal
2005-11-03 00:00:00
DB4Web directory traversal
2005-11-03 00:00:00
cve
cve
CVE-2002-1483
2003-04-22 04:00:00
nvd
nvd
CVE-2002-1483
2003-04-22 04:00:00
nessus
nessus
DB4Web Server db4web_c Filename Request Traversal Arbitrary File Access
2002-12-02 00:00:00

AI Score

7.4

Confidence

Low

JSON
Related for EDB-ID:21800
cvelist1openvas2cve1nvd1nessus1