Vignette Application Portal Diagnostic Utility Information Disclosure

2004-09-28T00:00:00
ID OSVDB:10405
Type osvdb
Reporter Cory Scott()
Modified 2004-09-28T00:00:00

Description

Vulnerability Description

Vignette Application Portal Diagnostic Utility contains a flaw of by default it is accessible to anyone that may lead to an unauthorized information disclosure. The issue is triggered when a user makes a certain web request, which will disclose application server and OS versions, database connection parameters, and bean IDs used for accessing portal resources, resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Restrict access to the diag directory on the web server or application server.

Short Description

Vignette Application Portal Diagnostic Utility contains a flaw of by default it is accessible to anyone that may lead to an unauthorized information disclosure. The issue is triggered when a user makes a certain web request, which will disclose application server and OS versions, database connection parameters, and bean IDs used for accessing portal resources, resulting in a loss of confidentiality.

References:

Vendor URL: http://www.vignette.com/ Security Tracker: 1011447 Secunia Advisory ID:12676 Other Advisory URL: http://www.atstake.com/research/advisories/2004/a092804-1.txt ISS X-Force ID: 17530 CVE-2004-0917 Bugtraq ID: 11267