Greenstone Password File Disclosure

medium Nessus Plugin ID 66719

Synopsis

The remote web server is affected by a file disclosure vulnerability.

Description

The Greenstone install listening on the remote host is affected by a password file disclosure vulnerability in the 'cgi-bin/library.cgi' script. A remote attacker could exploit this issue with a specially crafted request to perform a direct request to obtain the credential files.

There are, reportedly, other vulnerabilities in this version of Greenstone, though Nessus has not checked for them.

Solution

Upgrade to Greenstone 3.05 or later

See Also

http://www.nessus.org/u?b9e0805e

http://wiki.greenstone.org/doku.php?id=en:release:3.05_release_notes

Plugin Details

Severity: Medium

ID: 66719

File Name: greenstone_password_file_disclosure.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 5/31/2013

Updated: 6/4/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Vulnerability Information

CPE: x-cpe:/a:greenstone:greenstone

Required KB Items: www/greenstone

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 11/23/2012

Vulnerability Publication Date: 11/23/2012

Reference Information

BID: 56662