| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: advisory at stgsecurity.com (SSR Team) Subject: STG Security Advisory: [SSA-20031025-05] InfronTech WebTide 7.04 Directory and File Disclosure Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 STG Security Advisory: [SSA-20031025-05] InfronTech WebTide 7.04 Directory and File Disclosure Vulnerability Revision 1.0 Date Published: 2003-10-25 (KST) Last Update: 2003-10-25 Disclosed by SSR Team (advisory@...security.com) Abstract ======== InfronTech's J2EE Web Application Server, WebTide, is a localized product of PowerTier 7.0 developed by Persistence Software. The WebTide has a vulnerability disclosuring directories and files on a web server through a request. Vulnerability Class =================== Implementation Error: Inappropriate Implementation Details ======= Being implemented inappropriately, the WebTide has a vulnerability disclosuring directories and files on a web server through %3f.jsp request. This vulnerability revives following reports on the same vulnerability of other JSP engines without discrimination: http://lists.insecure.org/lists/vuln-dev/2001/Nov/0339.html http://www.securityfocus.com/advisories/3689 Impact ====== Directory and file disclosure Solution ========= Upgrade to WebTide 7.05 or higher versions Vulnerable Products ================ WebTide 7.04 and prior Vendor Status: Notified ======================= 2003-10-13 Infrontech notified. 2003-10-15 Second attempt to contact the vendor. 2003-10-15 Vendor replied their new versions are not vulnerable. 2003-10-15 SSR Team tested and confirmed. 2003-10-23 Third attempt to contact the vendor. 2003-10-25 Public disclosure. Credits ====== Jeremy Bae at STG Security About STG Security ================= STG Security Inc. is a affiliated company of STG Group which has its head office in the States founded in march 2000. Its core business area is professional penetration testing, security code review and BS7799 consulting services. http://www.stgsecurity.com/ Phone +82-2-6333-4500 FAX +82-2-6333-4545 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBP54PxT9dVHd/hpsuEQIuQwCcC7uKt7+T50MjPATTaopGwZxpWxoAnRF/ idN8aRqYT1gIWcmWYN6XtguN =WE+k -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: WebTide-Eng.txt Url: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031028/19c0b78a/WebTide-Eng.txt
Powered by blists - more mailing lists