Xerver < 4.20 Multiple Vulnerabilities
Medium Nessus Plugin ID 20062
SynopsisThe remote web server is affected by multiple vulnerabilities.
DescriptionThe remote host is running a version of Xerver prior to 4.20. It is, therefore, affected by multiple vulnerabilities :
- An information disclosure vulnerability exists that is triggered when a '.' is appended to the filename of a script in a URL. A remote attacker can exploit this to disclose the source code of the script. (CVE-2005-3293 / OSVDB 20075)
- An information disclosure vulnerability exists that is triggered when a specially crafted HTTP request ending with a null character (%00) at the end is sent. A remote attacker can exploit this to disclose directly listings.
(CVE-2005-3293 / OSVDB 20076)
- A cross-site scripting vulnerability exits due to an unspecified flaw. A remote attacker can exploit this, via a specially crafted URL containing a null character (%00) followed by malicious code, to execute arbitrary script code in a user's browser. (CVE-2005-4774)
SolutionUpgrade to Xerver 4.20 or later.