5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
6.5 Medium
AI Score
Confidence
Low
0.018 Low
EPSS
Percentile
88.1%
It was possible to make the remote web server disclose the physical path to its web root by requesting a MS-DOS device ending in .dbm (as in nul.dbm).
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
#
# This script was written by Renaud Deraison <[email protected]>
# Modified by Paul Johnston for Westpoint Ltd to display the web root
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(11393);
script_version("1.28");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");
script_cve_id("CVE-2002-0576");
script_bugtraq_id(4542);
script_name(english:"ColdFusion on IIS cfm/dbm Diagnostic Error Path Disclosure");
script_set_attribute(attribute:"synopsis", value:
"An application running on the remote web server is affected by a path
disclosure vulnerability.");
script_set_attribute(attribute:"description", value:
"It was possible to make the remote web server disclose the physical
path to its web root by requesting a MS-DOS device ending in .dbm (as
in nul.dbm).");
# https://web.archive.org/web/20041206154712/http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0028.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3991a459");
script_set_attribute(attribute:"solution", value:
"The vendor suggests turning on 'Check that file exists' :
Windows 2000:
1. Open the Management console
2. Click on 'Internet Information Services'
3. Right-click on the website and select 'Properties'
4. Select 'Home Directory'
5. Click on 'Configuration'
6. Select '.cfm'
7. Click on 'Edit'
8. Make sure 'Check that file exists' is checked
9. Do the same for '.dbm'");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:W/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2002/04/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:allaire:coldfusion_server");
script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2003-2024 Tenable Network Security, Inc.");
script_dependencies("iis_detailed_error.nasl", "404_path_disclosure.nasl");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:80);
if (get_kb_item("www/"+port+"/iis_detailed_errors")) exit(0, "The web server listening on port "+port+" appears to be an instance of IIS that returns detailed error messages.");
if (get_kb_item("www/"+port+"/generic_path_disclosure")) exit(0, "The web server listening on port "+port+" is known to be affected by a generic path disclosure vulnerability.");
url = "/nul.dbm";
res = test_generic_path_disclosure(item: url,
method: "GET",
port: port,
path_type: "windows",
filename: "nul.dbm",
exit_on_fail: TRUE);
if (!res) exit(0, "The web server listening on port "+port+" is not affected.");
Vendor | Product | Version | CPE |
---|---|---|---|
allaire | coldfusion_server | cpe:/a:allaire:coldfusion_server |