Pinnacle ShowCenter SettingsBase.php Path Disclosure

2004-09-21T00:00:00
ID OSVDB:10228
Type osvdb
Reporter Marc Ruef(marc.ruef@computec.ch)
Modified 2004-09-21T00:00:00

Description

Vulnerability Description

Pinnacle ShowCenter contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when HTTP GET requests for a non-existent skin in SettingsBase.php occur, which will disclose the software installation path information resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Pinnacle ShowCenter contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when HTTP GET requests for a non-existent skin in SettingsBase.php occur, which will disclose the software installation path information resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/ShowCenter/SettingsBase.php?Skin=[invalid skin name]

References:

Vendor URL: http://www.pinnaclesys.com/ProductPage_n.asp?Product_ID=1481&Langue_ID=7 Security Tracker: 1011379 Related OSVDB ID: 10227 Packet Storm: http://packetstormsecurity.org/0409-advisories/pinnacleShow151.txt Other Advisory URL: http://www.computec.ch/mruef/publikationen/advisories/pinnacle_showcenter_skin_denial_of_service.txt Other Advisory URL: http://www.computec.ch/projekte/atk/plugins/pluginslist/Pinnacle%20ShowCenter%20BSE%20web%20server%20skin%20denial%20of%20service.plugin.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0769.html ISS X-Force ID: 17463