CVE-2004-0917
CVSS5.0
发布时间 :2005-01-27 00:00:00
修订时间 :2008-09-05 16:39:46
NMCOPS    

[原文]The default installation of Vignette Application Portal installs the diagnostic utility without authentication requirements, which allows remote attackers to gain sensitive information, such as server and OS version, and conduct unauthorized activities via an HTTP request to /diag.


[CNNVD]Vignette ApplicationPortal 远程信息泄露漏洞(CNNVD-200501-304)

        Vignette Application Portal服务程序是一款应用服务器系统。
        Vignette Application Portal的默认安装将诊断工具配置为不需要身份认证,这将导致敏感信息泄露。
        远程攻击者可以通过直接访问/diag,获取操作系统版本、应用服务器版本等敏感信息。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0917
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0917
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-304
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17530
(VENDOR_ADVISORY)  XF  vignette-diagnostic-obtain-info(17530)
http://www.securityfocus.com/bid/11267
(VENDOR_ADVISORY)  BID  11267
http://www.atstake.com/research/advisories/2004/a092804-1.txt
(VENDOR_ADVISORY)  ATSTAKE  A092804-1
http://securitytracker.com/id?1011447
(UNKNOWN)  SECTRACK  1011447

- 漏洞信息

Vignette ApplicationPortal 远程信息泄露漏洞
中危 设计错误
2005-01-27 00:00:00 2005-10-20 00:00:00
远程  
        Vignette Application Portal服务程序是一款应用服务器系统。
        Vignette Application Portal的默认安装将诊断工具配置为不需要身份认证,这将导致敏感信息泄露。
        远程攻击者可以通过直接访问/diag,获取操作系统版本、应用服务器版本等敏感信息。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.vignette.com/

- 漏洞信息 (F34524)

Atstake Security Advisory 04-09-28.1 (PacketStormID:F34524)
2004-10-07 00:00:00
Atstake,Cory Scott  atstake.com
advisory,info disclosure
CVE-2004-0917
[点击下载]

Atstake Security Advisory A092804-1 - In the default installation of Vignette portal software, the utility is not secured against anonymous and unauthenticated access. Since many portal deployments are on the Internet or exposed to untrusted networks, this results in an information disclosure vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: Vignette Application Portal Unauthenticated
               Diagnostics
 Release Date: 09-28-2004
  Application: Vignette Application Portal
     Platform: Multiple
     Severity: Unauthenticated diagnostic functionality and
               information disclosure
       Author: Cory Scott <cscott@atstake.com>
Vendor Status: Vendor has published remediation advice 
CVE Candidate: CAN-2004-0917
    Reference: www.atstake.com/research/advisories/2004/a092804-1.txt


Overview:

Vignette Application Portal is a portal framework that runs on a
variety of application servers and platforms. As part of the
deployed framework, there is a diagnostic utility that discloses
significant detail on the configuration of the application server,
operating system, and Vignette application. The diagnostic utility,
which is installed by default, exposes details such as application
server and operating system version, database connection parameters,
and bean IDs that are used for access to Vignette portal resources.

In the default installation of the Vignette software, the utility is
not secured against anonymous and unauthenticated access. Since
many portal deployments are on the Internet or exposed to untrusted
networks, this results in an information disclosure vulnerability.

Vignette documentation does not give deployment advice to either
alert administrators to the diagnostic utility's exposure or to
restrict access to the utility. In addition, the utility performs
a set of diagnostic checks that results in system load and outbound
network connections to test portal functionality.
       

Details:

To access the diagnostic utility, a user makes a web request to
<sitename>/portal/diag/


Vendor Response:

After notification by @stake, Vignette published a knowledge base
article (KB 6947) with remediation advice. It is accessible by
Vignette customers only. 


Recommendation:

Restrict access to the diag directory on the web server or
application server. Ultimately, it would make sense for Vignette
to authenticate user requests to the diagnostic utility and
implement access control.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-0917  Vignette Application Portal Unauthenticated
                 Diagnostics

@stake Vulnerability Reporting Policy: 
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.





-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQVlzF0e9kNIfAm4yEQLJjwCcDEFnnacQTF/IOQJTFm3jNZqx4d4AnRZa
W5HemU39ASDoyjnwrbmTQmvU
=ZeJY
-----END PGP SIGNATURE-----
    

- 漏洞信息

10405
Vignette Application Portal Diagnostic Utility Information Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Vignette Application Portal Diagnostic Utility contains a flaw of by default it is accessible to anyone that may lead to an unauthorized information disclosure. The issue is triggered when a user makes a certain web request, which will disclose application server and OS versions, database connection parameters, and bean IDs used for accessing portal resources, resulting in a loss of confidentiality.

- 时间线

2004-09-28 Unknow
2004-09-28 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Restrict access to the diag directory on the web server or application server.

- 相关参考

- 漏洞作者

- 漏洞信息

Vignette Application Portal Remote Information Disclosure Vulnerability
Design Error 11267
Yes No
2004-09-28 12:00:00 2009-07-12 07:06:00
Discovery of this issue is credited to Cory Scott <cscott@atstake.com> of @stake, Inc.

- 受影响的程序版本

Vignette Application Portal

- 漏洞讨论

Vignette Application Portal is affected by a remote information disclosure vulnerability. This issue is due to a design error that facilitates unauthorized access to sensitive information.

An attacker can leverage this issue to reveal sensitive information such as operating system version, application version, database connection parameters, and various other application portal related setting details.

- 漏洞利用

No exploit is required to leverage this issue.

- 解决方案

The vendor has made a knowledge base article (KB 6947) available with remediation advice. This article has been made available to registered customers only. Please contact the vendor for information on obtaining the article.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站