3Com OfficeConnect Wireless 11g AP Router Information Disclosure

2005-01-20T12:52:09
ID OSVDB:13095
Type osvdb
Reporter Patrik Karlsson(patrik@cqure.net)
Modified 2005-01-20T12:52:09

Description

Vulnerability Description

OfficeConnect contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered due to an access control error allowing anyone to access certain hidden pages via the web interface, which will disclose administrative information resulting in a loss of confidentiality.

Solution Description

Upgrade to version 1.03.07A or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Note: Subsequent testing suggests the patch for this issue did not make it into the initial 2.x tree.

Short Description

OfficeConnect contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered due to an access control error allowing anyone to access certain hidden pages via the web interface, which will disclose administrative information resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/main/config.bin http://[victim]/main/profile.wlp?PN=ggg http://[victim]/main/event.logs

References:

Vendor URL: http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3CRWE454G72 Security Tracker: 1012958 Secunia Advisory ID:13942 Other Advisory URL: http://www.idefense.com/application/poi/display?id=188&type=vulnerabilities ISS X-Force ID: 18994 CVE-2005-0112 Bugtraq ID: 12322