Rule:  
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC viewcode.jse access"; flags:A+; uricontent:"/viewcode.jse"; reference:bugtraq,3715; classtype:web-application-activity; sid:1389; rev:1;)
--

Sid:
1389

--

Summary:
Someone attempted to access the potentially vulnerable sample script
viewcode.jse, which ships with Netware 5.1 and Nombas ScriptEase
WebServer Edition.  This may allow an attacker to view any file on the
system.

--
Impact:
An attacker may have been able to read the contents of any file on the
web server.

--
Detailed Information:
Nombas ScriptEase WebServer Edition is a Javascript environment for web
servers.  As shipped, it comes with a sample script called "viewcode.jse"
that contains a vulnerability.  This vulnerability allows an attacker
to view any file on the web server.  The web server that ships with
Novell Netware 5.1 before SP3 contains this vulnerability.

--
Attack Scenarios:
Attacker sends a simple URL like the following:
http://target/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/viewcode.jse+httplist+httplist/../../../../../system/somefile

--
Ease of Attack:
Very simple handcrafted URL.  Attacker must make educated guesses as to
filesystem layout.

--
False Positives:

--
False Negatives:

--
Corrective Action:
Examine the packet to see if a malicious web request was being done.
Try to determine what the requested file was, and determine
from the web server's configuration whether it was a threat or not
(e.g., whether the requested file even existed and whether the web
server contained the viewcode.jse sample script).  The existence of
sample scripts on a web server may indicate larger vulnerabilities.

--
Contributors:

--
Additional References:
Bugtraq:  BID 1389
