Netware Web Server Sample Page Source Disclosure Network Vulnerability

Summary

On a Netware Web Server, viewcode.jse allows the source code of web pages to be viewed. As an argument, a URL is passed to sewse.nlm. The URL can be altered and will permit files outside of the web root to be viewed. As a result, sensitive information could be obtained from the Netware server, such as the RCONSOLE password located in AUTOEXEC.NCF. Example: http://target//lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/autoexec.ncf

Solution

Remove sample NLMs and default files from the web server. Also, ensure the RCONSOLE password is encrypted and utilize a password protected screensaver for console access.

References

http://www.securityfocus.com/archive/1/246358

Updated on 2015-03-25

Severity

Classification

CVE CVE-2001-1580

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Netware LDAP search request
Netware 6.0 Tomcat source code viewer
Default Novonyx Web Server Files
Netware NDS Object Enumeration
Netware Web Server Sample Page Source Disclosure

Take action and discover your vulnerabilities