CVE-2004-1963

Vulnerability

In Network Query Tool (NQT) 1.6, the script nqt.php does not validate the portNum parameter before passing it to the fsockopen() function. When a non-numeric string is supplied, PHP emits a warning that includes the full server path to the script. This affects version 1.6 as distributed from shat.net [2][3].

Exploitation

An attacker can trigger the information disclosure by sending an HTTP GET request to nqt.php with the portNum parameter set to an arbitrary string, for example: http://target/nqt.php?target=example.com&queryType=all&portNum=foobar. No authentication or special privileges are required; the vulnerability is remotely exploitable [2][3].

Impact

Successful exploitation reveals the absolute filesystem path of the web server (e.g., D:\apache_wwwroot\nqt.php). This information can assist an attacker in planning further attacks, such as path traversal or inclusion of known files, but does not directly allow code execution or data modification [2][3].

Mitigation

No official patch or fixed version was disclosed in the available references. Users of NQT 1.6 should consider removing or restricting access to nqt.php until a fix is applied, or migrating to an alternative tool [2][3].