3Com TippingPoint SMS Server Permission Weakness Remote Information Disclosure

2006-05-09T07:02:39
ID OSVDB:25360
Type osvdb
Reporter Micheal Cottingham()
Modified 2006-05-09T07:02:39

Description

Vulnerability Description

TippingPoint SMS Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered due to access control errors on certain directories that are accessible via the web management interface, which will disclose configuration settings (if the device settings are being backed up into the directories) resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.2.1.4478 (SMS_2.2.1_4478.pkg) or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

TippingPoint SMS Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered due to access control errors on certain directories that are accessible via the web management interface, which will disclose configuration settings (if the device settings are being backed up into the directories) resulting in a loss of confidentiality.

References:

Vendor Specific Advisory URL Security Tracker: 1016051 Secunia Advisory ID:20058 Other Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-013.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0239.html Keyword: ZDI-06-013 ISS X-Force ID: 26338 FrSIRT Advisory: ADV-2006-1752 CVE-2006-0993 Bugtraq ID: 17935