lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 3 Dec 2007 11:26:54 -0500
From: "guiness.stout" <guinness.stout@...il.com>
To: research@...checkup.com
Cc: bugtraq@...urityfocus.com
Subject: Re: PR06-08: BEA Plumtree portal internal hostname disclosure vulnerability

I have verified this as well as PR06-09 and PR06-11 in version 6.1.0.240495.

On 1 Dec 2007 21:04:34 -0000, <research@...checkup.com> wrote:
> PR06-08: BEA Plumtree portal internal hostname disclosure vulnerability
>
>
> Description:
>
>
> BEA Plumtree portal is vulnerable to a internal hostname disclosure vulnerability.
>
>
> The internal hostname of the server hosting BEA Plumtree portal is always included at the bottom of every requested HTML page within HTML comments.
>
>
> Date Found: 12th September 2006
>
>
> Vendor contacted: 18th May 2007
>
>
> Vulnerable: BEA Plumtree 5.0.2, 5.0.3, 5.0.4, 6.0.1.218452 and possibly other versions.
>
>
> Severity: Low
>
>
> Authors: Adrian Pastor and Jan Fry from ProCheckUp Ltd (www.procheckup.com)
>
>
> ProCheckUp thanks BEA for working with us.
>
>
> Vendor Status: Confirmed
>
>
> CVE Candidate: Not assigned
>
>
> Proof of concept:
>
>
> The following is an example of the internal hostname of Plumtree server disclosed within HTML comments:
>
>
> <!--Hostname: websvr01-->
>
>
> Consequences:
>
>
> This information could be useful to a malicious user attempting to gain illegal access to resources on internal systems.
>
>
> By following internal hostname naming conventions, an attacker could predict other internal hostnames  as well. For instance, if Plumtree portal is running on a server with an internal hostname of websvr01, an attacker could predict other internal  hostnames such as websvr01, websvr02, websvr03 and  so on.
>
>
> Fix:
>
>
> This has been addressed in AquaLogic Interaction 6.1. MP1. This can also be addressed by making config changes in ALUI 6.x versions.
>
>
> References:
>
>
> http://www.procheckup.com/Vulnerability_2007.php
>
> http://dev2dev.bea.com/pub/advisory/251
>
> http://www.plumtree.com/
>
>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ