Zope Invalid Query Path Disclosure

Medium Nessus Plugin ID 11769


The remote web server contains an application server that is prone to an information disclosure attack.


The remote Zope web server may be forced into disclosing its physical path when calling 'Examples/ShoppingCart/addItems' with a blank quantity.

Note that this install is also likely to be affected by several other vulnerabilities, although Nessus has not checked for them.


Delete the directory '/Examples'.

See Also


Plugin Details

Severity: Medium

ID: 11769

File Name: zope_invalid_query_path_disclosure.nasl

Version: $Revision: 1.15 $

Type: remote

Family: Web Servers

Published: 2003/06/23

Modified: 2011/07/19

Dependencies: 10107, 17975

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

Required KB Items: www/zope

Exploit Available: true

Exploit Ease: No exploit is required

Reference Information

BID: 7999

OSVDB: 58284