SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   VistaPortal Vendors:   InfoVista
InfoVista VistaPortal Discloses Files and Path to Remote Users
SecurityTracker Alert ID:  1015669
SecurityTracker URL:  http://securitytracker.com/id/1015669
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 23 2006
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2.0 Build 20087
Description:   A vulnerability was reported in InfoVista VistaPortal. A remote user can view arbitrary files on the target system.

A remote user can supply a specially crafted URL to view files on the target system. Because the software runs with root user privileges (on Solaris), any file can be viewed.

A remote user can specify a non-existent server in the server field to cause the server to disclose the full directory path.

The vendor was notified on January 20, 2006.

P Robinson of IRM discovered this vulnerability.

Impact:   A remote user can view arbitrary files on the target system.

A remote user can determine the installation path.

Solution:   The vendor has issued a hotfix (IV00038969) for the directory traversal vulnerability.

No solution for the path disclosure vulnerability was available at the time of this entry.

Vendor URL:  www.infovista.com/products/product_list.asp#vistaportal (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (Solaris - SunOS), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  IRM 017: Multiple Vulnerabilities in Infovista Portal SE

----------------------------------------------------------------------
IRM Security Advisory No. 017

Multiple Vulnerabilities in Infovista Portal SE

Vulnerability Type / Importance: 	Directory Traversal / High
						Information Leakage / Low

Problem Discovered: January 20th 2006
Vendor Contacted: January 20th 2006
Advisory Published: February 22nd 2006	
----------------------------------------------------------------------

Abstract:

VistaPortal enables secure, browser-based access to service-centric
performance information. The easy implementation, display and design of
Portal-based dashboards and reports give accurate visibility into the
performance of the entire global IT infrastructure. VistaPortal allows users
to simultaneously view Key Performance Indicators (KPIs), real-time
performance notifications and strategic business information, from which
users can drill down to related real-time and historical reports residing in
VistaMart, the InfoVista Server and VistaTroubleshooter. VistaPortal
delivers rich, interactive content within a standards-based, open
architecture that allows seamless integration with existing applications and
easy incorporation of information into other Web Portals.
(http://www.infovista.com/products/product_list.asp#vistaportal)

Description:

PortalSE allows a remote attacker to read any file on the filesystem as it
runs with root privileges by default. It is also susceptible to a directory
revelation issue.  

Technical Details:

During a recent research engagement IRM found multiple vulnerabilites in the
Infovista PortalSE software. Using  specially crafted URLs it is possible to
read any file on the filesystem. This is due to the product running with
super-user privileges so it is possible to gain the system's password
hashes. 
 
Additionally, when selecting a non-existent server in the server field then
the response reveals a full directory path, which can be useful to an
attacker in fingerprinting the underlying operating system and directory
structure: -

An error occured while accessing the report '<nonexistentserver>_31457':
No Such Report Generated For You

[-] Hide details

/opt/InfoVista/PortalSE/files/default/<nonexistentserver>/31457/report.html
(No such file or directory)
java.io.FileNotFoundException:
/opt/InfoVista/PortalSE/files/default/<nonexistentserver>/31457/report.html
(No such file or directory)

Vendor & Patch Information:

The vendor has released a hotfix for the directory traversal issue
(IV00038969) which should be applied. The vendor does not deem the
information leakage of the directory path an issue and has not released a
hotfix for this.

Tested Versions:

PortalSE 2.0 Build 20087 on Solaris 8

Credits: 

Research & Advisory: P Robinson

Disclaimer: 

All information in this advisory is provided on an 'as is' basis in the hope
that it will be useful. Information Risk Management Plc is not responsible
for any risks or occurrences caused by the application of this information.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC