[原文]The default installation of Vignette Application Portal installs the diagnostic utility without authentication requirements, which allows remote attackers to gain sensitive information, such as server and OS version, and conduct unauthorized activities via an HTTP request to /diag.
Atstake Security Advisory A092804-1 - In the default installation of Vignette portal software, the utility is not secured against anonymous and unauthenticated access. Since many portal deployments are on the Internet or exposed to untrusted networks, this results in an information disclosure vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Advisory Name: Vignette Application Portal Unauthenticated
Release Date: 09-28-2004
Application: Vignette Application Portal
Severity: Unauthenticated diagnostic functionality and
Author: Cory Scott <firstname.lastname@example.org>
Vendor Status: Vendor has published remediation advice
CVE Candidate: CAN-2004-0917
Vignette Application Portal is a portal framework that runs on a
variety of application servers and platforms. As part of the
deployed framework, there is a diagnostic utility that discloses
significant detail on the configuration of the application server,
operating system, and Vignette application. The diagnostic utility,
which is installed by default, exposes details such as application
server and operating system version, database connection parameters,
and bean IDs that are used for access to Vignette portal resources.
In the default installation of the Vignette software, the utility is
not secured against anonymous and unauthenticated access. Since
many portal deployments are on the Internet or exposed to untrusted
networks, this results in an information disclosure vulnerability.
Vignette documentation does not give deployment advice to either
alert administrators to the diagnostic utility's exposure or to
restrict access to the utility. In addition, the utility performs
a set of diagnostic checks that results in system load and outbound
network connections to test portal functionality.
To access the diagnostic utility, a user makes a web request to
After notification by @stake, Vignette published a knowledge base
article (KB 6947) with remediation advice. It is accessible by
Vignette customers only.
Restrict access to the diag directory on the web server or
application server. Ultimately, it would make sense for Vignette
to authenticate user requests to the diagnostic utility and
implement access control.
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned
the following names to these issues. These are candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
CAN-2004-0917 Vignette Application Portal Unauthenticated
@stake Vulnerability Reporting Policy:
@stake Advisory Archive:
Copyright 2004 @stake, Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
-----END PGP SIGNATURE-----
Vignette Application Portal Diagnostic Utility Information Disclosure
Remote / Network Access
Loss of Confidentiality
Vignette Application Portal Diagnostic Utility contains a flaw of by default it is accessible to anyone that may lead to an unauthorized information disclosure. The issue is triggered when a user makes a certain web request, which will disclose application server and OS versions, database connection parameters, and bean IDs used for accessing portal resources, resulting in a loss of confidentiality.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Restrict access to the diag directory on the web server or application server.
Discovery of this issue is credited to Cory Scott <email@example.com> of @stake, Inc.
Vignette Application Portal
Vignette Application Portal is affected by a remote information disclosure vulnerability. This issue is due to a design error that facilitates unauthorized access to sensitive information.
An attacker can leverage this issue to reveal sensitive information such as operating system version, application version, database connection parameters, and various other application portal related setting details.
No exploit is required to leverage this issue.
The vendor has made a knowledge base article (KB 6947) available with remediation advice. This article has been made available to registered customers only. Please contact the vendor for information on obtaining the article.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.