Novell NetWare Web Server sewse.nlm (viewcode.jse) Traversal Arbitrary File Access

Medium Nessus Plugin ID 12048


The remote web server contains a JavaScript application that is affected by an information disclosure vulnerability.


The installed version of Nombas ScriptEase Web Server Edition for NetWare on the remote host fails to sanitize input to the 'sewse.nlm' page and associated 'viewcode.jse' script before using it to display the source code of a file.

By passing in a specially crafted URL argument, an attacker can view the contents of files, even files outside the web root. This can lead to disclosure of sensitive information from the affected host, such as the RCONSOLE password located in AUTOEXEC.NCF.


Remove all sample scripts from the web server.

See Also

Plugin Details

Severity: Medium

ID: 12048

File Name: novell_viewcode.nasl

Version: $Revision: 1.20 $

Type: remote

Family: Netware

Published: 2004/02/06

Modified: 2016/10/27

Dependencies: 10107

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:OF/RC:ND

Vulnerability Information

Exploit Available: true

Exploit Ease: No exploit is required

Exploited by Nessus: true

Patch Publication Date: 2001/06/15

Vulnerability Publication Date: 2001/12/12

Reference Information

CVE: CVE-2001-1580

BID: 3715

OSVDB: 5325