(0Day) Schneider Electric U.motion Builder error Information Disclosure Vulnerability

2017-06-12T00:00:00
ID ZDI-17-385
Type zdi
Reporter rgod
Modified 2017-06-12T00:00:00

Description

This vulnerability allows remote attackers to acquire system information about vulnerable installations of Schneider Electric U.motion Builder. Authentication is not required to exploit this vulnerability.

The specific flaw exists within error.php. System information is returned to the attacker that contains sensitive data. This can be leveraged by an attacker in conjunction with other vulnerabilities to execute arbitrary code on the system.