Novell NetWare sewse.nlm (test.jse) Sample Application Information Disclosure

2002-05-29T22:24:42
ID OSVDB:17467
Type osvdb
Reporter Richard Brain(richard.brain@procheckup.com)
Modified 2002-05-29T22:24:42

Description

Vulnerability Description

Novell NetWare contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when requesting /lcgi/sewse.nlm with a query string pointing to the test.jse object, which will disclose server information resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround : This 'test.jse' file was added mainly as a demonstration of web server and as such, it could be safely removed.

Short Description

Novell NetWare contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when requesting /lcgi/sewse.nlm with a query string pointing to the test.jse object, which will disclose server information resulting in a loss of confidentiality.

Manual Testing Notes

http://[target]/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/misc/test.jse

References:

Vendor URL: http://www.novell.com Vendor Specific Advisory URL Related OSVDB ID: 17463 Related OSVDB ID: 17464 Related OSVDB ID: 17461 Related OSVDB ID: 17462 Related OSVDB ID: 17465 Related OSVDB ID: 17468 Related OSVDB ID: 17466 Other Advisory URL: http://attrition.org/security/advisory/misc/pro2-3.netware_50 Other Advisory URL: http://attrition.org/security/advisory/misc/pro2-1.netware_50-1 ISS X-Force ID: 9212 CVE-2002-1634 CERT VU: 159203 Bugtraq ID: 4874