Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
openvasThis script is Copyright (C) 2002 Michel ArboiOPENVAS:11048
HistoryNov 03, 2005 - 12:00 a.m.

Resin DOS device path disclosure

2005-11-0300:00:00
This script is Copyright (C) 2002 Michel Arboi
plugins.openvas.org
13

0.002 Low

EPSS

Percentile

60.4%

JSON

Resin will reveal the physical path of the webroot
when asked for a special DOS device, e.g. lpt9.xtp

An attacker may use this flaw to gain further knowledge
about the remote filesystem layout.

# OpenVAS Vulnerability Test
# $Id: resin_path_disclosure.nasl 6702 2017-07-12 13:49:41Z cfischer $
# Description: Resin DOS device path disclosure
#
# Authors:
# Michel Arboi <[email protected]>
# Script audit and contributions from Carmichael Security <http://www.carmichaelsecurity.com>
# Erik Anderson <[email protected]>
# Added BugtraqID
#
# Copyright:
# Copyright (C) 2002 Michel Arboi
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

tag_summary = "Resin will reveal the physical path of the webroot 
when asked for a special DOS device, e.g. lpt9.xtp

An attacker may use this flaw to gain further knowledge
about the remote filesystem layout.";

tag_solution = "Upgrade to a later software version.";

# Source:
# From:"Peter_GrΓΌndl" <[email protected]>
# To:"bugtraq" <[email protected]>
# Subject: KPMG-2002033: Resin DOS device path disclosure
# Date: Wed, 17 Jul 2002 11:33:59 +0200

if(description)
{
 script_id(11048);
 script_version("$Revision: 6702 $");
 script_tag(name:"last_modification", value:"$Date: 2017-07-12 15:49:41 +0200 (Wed, 12 Jul 2017) $");
 script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
 script_cve_id("CVE-2002-2090");
 script_bugtraq_id(5252);
 script_tag(name:"cvss_base", value:"5.0");
 script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");

 script_name("Resin DOS device path disclosure");
 
 
 script_category(ACT_MIXED_ATTACK);
  script_tag(name:"qod_type", value:"remote_banner");
 
 script_copyright("This script is Copyright (C) 2002 Michel Arboi");
 script_family("Web application abuses");
 script_dependencies("gb_get_http_banner.nasl", "no404.nasl");
 script_mandatory_keys("Resin/banner");
 script_require_ports("Services/www", 80);
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "summary" , value : tag_summary);
 exit(0);
}

include("http_func.inc");

port = get_http_port(default:8282);

# Requesting a DOS device may hang some servers
# According to Peter GrΓΌndl's advisory:
# Vulnerable:
# Resin 2.1.1 on Windows 2000 Server
# Resin 2.1.2 on Windows 2000 Server
# <[email protected]> added Resin 2.1.0
# Not Vulnerable:
# Resin 2.1.s020711 on Windows 2000 Server
# 
# The banner for snapshot 020604 looks like this:
# Server: Resin/2.1.s020604

banner = get_http_banner(port: port);
vulnver=0;

if ( "Resin/" >!< banner ) exit(0);

# I suppose that any 2.1 snapshot is all right.
if (egrep(pattern: "^Server: *Resin/2\.((0\..*)|(1\.[0-2]))",
	string: banner, icase: 1) ) vulnver=1;

if (safe_checks())
{
 if (vulnver)
 {
  msg = string(
	"OpenVAS solely relied on the version number of your\n",
	"*** server, so this may be a false alert.\n");
  security_message(port: port, data: msg);
 }
 exit(0);
}

soc = open_sock_tcp(port);
if(!soc) exit(0);
req = http_get(item:"/aux.xtp", port:port);
send(socket:soc, data:req);
h = http_recv_headers2(socket:soc);
r = http_recv_body(socket:soc, headers:h);
close(soc);


badreq=0; vuln=0;
if(egrep(pattern: "^500 ", string: h)) badreq=1;

if (egrep(pattern: "[CDE]:\\(.*\\)*aux.xtp", string:r)) vuln=1;

if (vuln) { 
	path = egrep(pattern: "[CDE]:\\(.*\\)*aux.xtp", string:r);
	path = ereg_replace(pattern:".*([CDE]:\\.*aux\.xtp).*", string:path, replace:"\1");

msg = "The remote web server reveals the physical path of the 
webroot when asked for a special DOS device, e.g. lpt9.xtp

For instance, requesting :

GET /aux.xtp

Returns the following path(s) : 

" + path + "

An attacker may use this flaw to gain further knowledge
about the remote filesystem layout.

Solution: Upgrade to a later software version.";


		security_message(port:port, data:msg); exit(0);

}
if (vulnver) {
 msg = string(
	"The version number of your server looks vulnerable\n",
	"*** but the attack did not succeed, so this may be a false alert.\n");
 security_message(port: port, data: msg);
   
}

Related

cvelist 1
nvd 1
openvas 1
cve 1
nessus 1
cvelist
cvelist
CVE-2002-2090
2022-10-03 16:23:49
nvd
nvd
CVE-2002-2090
2002-12-31 05:00:00
openvas
openvas
Caucho Resin <= 2.1.2 Information Disclosure Vulnerability
2005-11-03 00:00:00
cve
cve
CVE-2002-2090
2022-10-03 16:23:49
nessus
nessus
Resin MS-DOS Device Request Path Disclosure
2002-07-17 00:00:00

0.002 Low

EPSS

Percentile

60.4%

JSON
Related for OPENVAS:11048
cvelist1nvd1openvas1cve1nessus1