|
|
Info |
Last Modified |
| 4 months ago |
|
|
|
|
Description |
Siebel CRM Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user navigates to the server statistics page (http://www.example.com/[app_name]/_stats.swe. This discloses information about the additional applications installed on the server, the server version, installation location and, if the SessionMonitor parameter is enabled, the session information of the clients connected.
|
|
Classification |
Attack Type:
Information Disclosure
Exploit:
Exploit Available
|
|
Technical |
The information contained in the _stats.swe file, especially when session logging is enabled, is very sensitive. Information like session IDs, internal IP addresses and even passwords are visible by visiting this page.
|
|
Solution |
It is highly recommended that the statistics page is filtered by using a web server or other authentication mechanism. Alternatively disabling the statistics page is also an option. Visit http://download.oracle.com/docs/cd/E05554_01/books/Secur/SecurATroubleshoot3.html for more information.
|
|
Products |
|
|
7.0 |
7.5 |
7.7 |
7.8 |
|
|
|
|
|
Credit |
- Sheran Gunasekera - sheran
 zensay.com -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
