Netware Web Server Sample Page Source Disclosure Network Vulnerability

Summary

On a Netware Web Server, viewcode.jse allows the source code of web pages to be viewed. As an argument, a URL is passed to sewse.nlm. The URL can be altered and will permit files outside of the web root to be viewed. As a result, sensitive information could be obtained from the Netware server, such as the RCONSOLE password located in AUTOEXEC.NCF. Example: http://target//lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf

Solution

Remove sample NLMs and default files from the web server. Also, ensure the RCONSOLE password is encrypted and utilize a password protected screensaver for console access.

References

http://www.securityfocus.com/archive/1/246358

Updated on 2015-03-25

Severity

Classification

CVE CVE-2001-1580
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Default Novonyx Web Server Files
Novell Netbasic Scripting Server Directory Traversal
Netware NDS Object Enumeration
Netware 6.0 Tomcat source code viewer
Netware LDAP search request

Take action and discover your vulnerabilities