Info

Disclosure

Sep 28, 2004

Discovery

Unknown

Dates

Exploit

Sep 28, 2004

Solution

Unknown

Description

Vignette Application Portal Diagnostic Utility contains a flaw of by default it is accessible to anyone that may lead to an unauthorized information disclosure. The issue is triggered when a user makes a certain web request, which will disclose application server and OS versions, database connection parameters, and bean IDs used for accessing portal resources, resulting in a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Restrict access to the diag directory on the web server or application server.

Products

Vignette Corporation

Vignette Application Portal Diagnostic Utility

References

Security Tracker: 1011447
Bugtraq ID: 11267
Secunia Advisory ID: 12676
ISS X-Force ID: 17530
CVE ID: 2004-0917 (see also: NVD)
Other Advisory URL: http://www.atstake.com/research/advisories/2004/a092804-1.txt
Vendor URL: http://www.vignette.com/

Credit

Cory Scott -

Direct URL: http://osvdb.org/36218