Verity Ultraseek DOS Device Name Path Disclosure

2004-05-05T00:00:00
ID OSVDB:5891
Type osvdb
Reporter Martin O'Neal(martin.oneal@corsaire.com)
Modified 2004-05-05T00:00:00

Description

Vulnerability Description

Ultraseek contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests documents with included device names (e.g., NUL, CON, AUX, COM1, COM2), which will disclose the physical path of the web server resulting in a loss of confidentiality.

Solution Description

Upgrade to version 5.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Ultraseek contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker requests documents with included device names (e.g., NUL, CON, AUX, COM1, COM2), which will disclose the physical path of the web server resulting in a loss of confidentiality.

References:

Vendor URL: http://www.verity.com/products/ultraseek/index.html Security Tracker: 1010069 Secunia Advisory ID:11556 Other Advisory URL: http://www.corsaire.com/advisories/c040113-001.txt Keyword: Corsaire Security Advisory c040113-001 ISS X-Force ID: 16066 CVE-2004-0050