Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Vignette Application Portal Unauthenticate Diagnostics

from [Advisories] Network Security [Permanent Link]
Subject: [VulnWatch] Vignette Application Portal Unauthenticate Diagnostics
Date: Tue, 28 Sep 2004 15:22:16 -0400 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                                @stake, Inc.
                              www.atstake.com

                             Security Advisory

Advisory Name: Vignette Application Portal Unauthenticated
               Diagnostics
 Release Date: 09-28-2004
  Application: Vignette Application Portal
     Platform: Multiple
     Severity: Unauthenticated diagnostic functionality and
               information disclosure
       Author: Cory Scott <cscott@atstake.com>
Vendor Status: Vendor has published remediation advice 
CVE Candidate: CAN-2004-0917
    Reference: www.atstake.com/research/advisories/2004/a092804-1.txt


Overview:

Vignette Application Portal is a portal framework that runs on a
variety of application servers and platforms. As part of the
deployed framework, there is a diagnostic utility that discloses
significant detail on the configuration of the application server,
operating system, and Vignette application. The diagnostic utility,
which is installed by default, exposes details such as application
server and operating system version, database connection parameters,
and bean IDs that are used for access to Vignette portal resources.

In the default installation of the Vignette software, the utility is
not secured against anonymous and unauthenticated access. Since
many portal deployments are on the Internet or exposed to untrusted
networks, this results in an information disclosure vulnerability.

Vignette documentation does not give deployment advice to either
alert administrators to the diagnostic utility's exposure or to
restrict access to the utility. In addition, the utility performs
a set of diagnostic checks that results in system load and outbound
network connections to test portal functionality.
       

Details:

To access the diagnostic utility, a user makes a web request to
<sitename>/portal/diag/


Vendor Response:

After notification by @stake, Vignette published a knowledge base
article (KB 6947) with remediation advice. It is accessible by
Vignette customers only. 


Recommendation:

Restrict access to the diag directory on the web server or
application server. Ultimately, it would make sense for Vignette
to authenticate user requests to the diagnostic utility and
implement access control.


Common Vulnerabilities and Exposures (CVE) Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned 
the following names to these issues.  These are candidates for 
inclusion in the CVE list (http://cve.mitre.org), which standardizes 
names for security problems.

  CAN-2004-0917  Vignette Application Portal Unauthenticated
                 Diagnostics

@stake Vulnerability Reporting Policy: 
http://www.atstake.com/research/policy/

@stake Advisory Archive:
http://www.atstake.com/research/advisories/

PGP Key:
http://www.atstake.com/research/pgp_key.asc

Copyright 2004 @stake, Inc. All rights reserved.





-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQVlzF0e9kNIfAm4yEQLJjwCcDEFnnacQTF/IOQJTFm3jNZqx4d4AnRZa
W5HemU39ASDoyjnwrbmTQmvU
=ZeJY
-----END PGP SIGNATURE-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Vignette Application Portal Unauthenticate Diagnostics, Advisories <=
Previous by Date:  [VulnWatch] Multiple vulnerabilities in Mozilla products, Adam Daniel
Next by Date:  Php RFC1867 Upload Vuln. POC Released, Stefano Di Paola
Previous by Thread:  [VulnWatch] Multiple vulnerabilities in Mozilla products, Adam Daniel
Next by Thread:  Php RFC1867 Upload Vuln. POC Released, Stefano Di Paola
Indexes:  [Date] [Thread] [Top] [All Lists]