CERTVU:708340Apple Mac OS X AFP server may disclose file and folder information in search results
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.009 Low
EPSS
Percentile
82.3%
Overview
A vulnerability in the Apple Mac OS X AFP server may disclose file and folder items to unauthorized users.
Description
The AFP (Apple Filing Protocol) service allows Apple Mac OS clients to remotely access files stored on a server. When file sharing is enabled, Apple’s Mac OS X AFP server allows search results to include files and folders for which the user performing the search does not have access. This vulnerability results in information disclosure if the folders, file names, or file contents contain sensitive information and the user permissions for these files or folders are not configured correctly. Any Apple Mac OS X system with AFP server enabled is vulnerable, however AFP server is not enabled by default on Apple Mac OS X.
Impact
An unauthorized user may be able to view sensitive information in folder and file names as well as gain access to files and folders without proper access permissions set.
Solution
Apply an update
Apple has addressed this issue in Security Update 2006-004 for Apple Mac OS X 10.3.9 by ensuring that search results only contain items for which the user has authorization to access. This vulnerability in Apple Mac OS X v10.4 was addressed in Apple Mac OS X v10.4.7.
Workarounds
Disable file sharing if it is not needed. File sharing can be disabled in the sharing section of system preferences.
Vendor Information
708340
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Apple Computer, Inc. __ Affected
Notified: August 02, 2006 Updated: January 29, 2007
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Apple has addressed this issue in Security Update 2006-004 for Apple Mac OS X 10.3.9 by ensuring that search results only contain items for which the user has authorization to access. This vulnerability in Apple Mac OS X v10.4 was addressed in Apple Mac OS X v10.4.7.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23708340 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://docs.info.apple.com/article.html?artnum=304063>
- <http://secunia.com/advisories/21253/>
Acknowledgements
Thanks to Apple Product Security for reporting this vulnerability.
This document was written by Katie Steiner.
Other Information
| CVE IDs: | CVE-2006-1472 |
|---|---|
| Date Public: | 2006-08-01 Date First Published: |
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.009 Low
EPSS
Percentile
82.3%