Info

Disclosure

Jan 30, 2007

Discovery

Jan 27, 2007

Dates

Exploit

Jan 30, 2007

Solution

Unknown

Description

Siebel CRM Server contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user navigates to the server statistics page (http://www.example.com/[app_name]/_stats.swe. This discloses information about the additional applications installed on the server, the server version, installation location and, if the SessionMonitor parameter is enabled, the session information of the clients connected.

Classification

Attack Type: Information Disclosure
Exploit: Exploit Available

Solution

It is highly recommended that the statistics page is filtered by using a web server or other authentication mechanism. Alternatively disabling the statistics page is also an option. Visit http://download.oracle.com/docs/cd/E05554_01/books/Secur/SecurATroubleshoot3.html for more information.

Products

Siebel		7.0
		7.5
		7.7
		7.8

References

Mail List Post: http://archives.neohapsis.com/archives/sf/pentest/2007-02/0003.html
http://seclists.org/pen-test/2007/Feb/0002.html

Credit

Sheran Gunasekera - sheranzensay.com -

Direct URL: http://osvdb.org/36218