Synopsis
The remote host is running an unprotected web administration application.
Description
The remote host is running a web application that utilizes the West Wind Web Connection framework. Nessus was able to access the West Wind Web Connection framework configuration file editor without providing credentials. The configuration file editor allows remote configuration of the application and the underlying framework, which may allow attackers to execute arbitrary applications on the remote host.
Additionally, it is likely that there are other unprotected administration applications.
Solution
Contact the application vendor for a solution or workaround.
Plugin Details
File Name: west_wind_webconnect_unauth_admin_access.nasl
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vulnerability Information
CPE: x-cpe:/a:west_wind:web_connection
Excluded KB Items: Settings/disable_cgi_scanning
Exploited by Nessus: true
Vulnerability Publication Date: 6/16/2012