icat carbo.dll icatcommand Parameter Traversal Arbitrary File Access

medium Nessus Plugin ID 10112

Synopsis

The remote web server is hosting a CGI application that is affected by an information disclosure vulnerability.

Description

The installed version of the 'icat' CGI allows a remote user to read arbitrary files on the remote target, because it fails to properly sanitize user-supplied input to the 'icatcommand' parameter.

Solution

There is no known solution at this time.

Plugin Details

Severity: Medium

ID: 10112

File Name: icat.nasl

Version: 1.39

Type: remote

Family: CGI abuses

Published: 6/22/1999

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

CPE: cpe:/a:icat:electronic_commerce_suite

Excluded KB Items: Settings/disable_cgi_scanning

Vulnerability Publication Date: 11/8/1997

Reference Information

CVE: CVE-1999-1069

BID: 2126

Detections

Analytics