[原文]UPOINT @1 Event Publisher stores sensitive information under the web document root with insufifcient access control, which allows remote attackers to read private comments via a direct request to eventpublisher.txt.
@1 Event Publisher eventpublisher.txt Direct Request Private Comment Disclosure
Remote / Network Access
Loss of Integrity
@1 Event Publisher contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker makes a direct request to the eventpublisher.txt file, which will disclose private comments resulting in a loss of confidentiality.
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Customers can add in the "@1 Script Secure code" to help secure the code
Jericho is credited with the discovery of this vulnerability.
Upoint @1 Event Publisher 2003.12.18
@1 Event Publisher is prone to an information-disclosure vulnerability. This issue is due to a failure to properly secure access to sensitive information.
An attacker can exploit this vulnerability to retrieve sensitive information from the vulnerable system, including private user comments.
Information gained by exploiting this issue may aid malicious users in further attacks.
This vulnerability may be exploited with a web client.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org:email@example.com