SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   DocuShare Vendors:   Xerox
Xerox DocuShare May Disclose the Server's Internal IP Address to Remote Users
SecurityTracker Alert ID:  1005354
SecurityTracker URL:  http://securitytracker.com/id/1005354
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 4 2002
Impact:   Disclosure of system information
Exploit Included:  Yes  

Description:   An information disclosure vulnerability was reported in the Xerox DocuShare server. A remote user can determine the server's internal IP address and other information.

A remote user can reportedly use the Upload Helper Utility to gain information about the server that is hosting DocuShare, including the internal address.

A listing showing some of the available information is shown below:

DS: 192.168.1.13
URL: http://192.168.1.13:80/dscgi/ds.py/ApplyUpload/Collection-10 <http://192.168.1.13/dscgi/ds.py/ApplyUpload/Collection-10>
Proxy:
File: Exploit.html (1955967 bytes)
Start 22:12:46 Sep 30, 02
Finish 4507 msec (result code 200)
Terminate 4517 msec since 1st upload

Impact:   A remote user can obtain potentially sensitive information about the server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  docushare.xerox.com/ds30/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Solaris - SunOS), Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  Xerox DocuShare Internal IP address disclosure


According to the Xerox Corporate Website:
					DocuShare lets team members use your corporate intranet or extranet to set up a virtual information-sharing environment. Here,
 users can easily post, retrieve, and search for information that resides in familiar nested folders. And they can adapt DocuShare
 to suit the specific needs of any workgroup or project. 
					DocuShare gives you instant and controlled access to information. Read and write permission rights are granted and maintained
 by the workgroup itself. There's no need for a Webmaster to convert documents to HTML or PDF before posting or updating information.
 And users can see at a glance which documents are new and revised. 
By default, anonymous users can create an account or group and upload files at will. Aside from uploading a malicious HTML document,
 and potentially exposing unknowing users, the internal IP address of the server running DocuShare can also be revealed. 
Using the Upload Helper Utility, it is possible to gain information about the server which is hosting DocuShare. 
<------------SNIP---------->
DS: 192.168.1.13
URL: http://192.168.1.13:80/dscgi/ds.py/ApplyUpload/Collection-10 <http://192.168.1.13/dscgi/ds.py/ApplyUpload/Collection-10>
Proxy: 
File: Exploit.html (1955967 bytes)
Start 22:12:46 Sep 30, 02
Finish 4507 msec (result code 200)
Terminate 4517 msec since 1st upload
<------------SNIP---------->
Depending on the Anti-Virus program in use files sent to the server are not checked for viruses. When using Trend Micro with the real-time
 scan enabled and with updated virus definitions it did not identify any of the viruses or malicious HTML code that was sent.
Tested in Version 2.2 Workgroup (Build 180)

Ryan Purita
Network Security Analyst
Totally Connected Ltd.
1308 S.E. Marine Drive,
Vancouver, B.C., V5X 4K4
ryan@totally-connected.com
Phone:	604-432-7828
Fax:	604-432-6773

***************************************************************************************************
                       ----Notice Regarding Confidentiality of Transmission ----
***************************************************************************************************
This message is intended only for the person to which it is addressed and may contain
information that is privileged and confidential.  If you are not the intended recipient, you
are hereby notified that any dissemination or copying of this communication is prohibited.
Please notify us of the error in communication by telephone (604-432-7828) or by return 
e-mail and destroy all copies of this communication. Thank you.
***************************************************************************************************



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC