WebTrends Reporting Center管理接口路径泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1107638 漏洞类型 信息泄露
发布时间 2004-01-20 更新时间 2004-12-31
CVE编号 CVE-2004-2748 CNNVD-ID CNNVD-200412-830
漏洞平台 Windows CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/23559
https://cxsecurity.com/issue/WLB-2007110028
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-830
|漏洞详情
WebTrendsReportingCenter是一款强大的报告系统。WebTrendsReportingCenter包含的管理接口存在路径泄露问题,远程攻击者可以利用这个漏洞获得敏感信息,进一步对系统进行攻击。问题存在于管理接口的viewreport.pl脚本中,提交非法数据给'profileid'参数,会返回包含路径信息的错误页面,导致敏感信息泄露。
|漏洞EXP
source: http://www.securityfocus.com/bid/9460/info

The WebTrends Reporting Center management interface discloses installation path information when an invalid argument for an interface URI parameter is requested. This information may permit an attacker to enumerate the layout of the underlying file system of the host.

This issue was reported for version 6.1a of the software running on Microsoft Windows. Other platforms and versions may also be affected.

http://www.example.com:1099/viewreport.pl?profileid=dontexist
|参考资料

来源:SECTRACK
名称:1008799
链接:http://www.securitytracker.com/id?1008799
来源:BID
名称:9460
链接:http://www.securityfocus.com/bid/9460
来源:BUGTRAQ
名称:20040120WebTrendsReportingCenterPathDisclosurevulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/350419/30/21610/threaded
来源:OSVDB
名称:3680
链接:http://www.osvdb.org/3680
来源:SECUNIA
名称:10689
链接:http://secunia.com/advisories/10689
来源:SREASON
名称:3354
链接:http://securityreason.com/securityalert/3354
来源:NSFOCUS
名称:5963
链接:http://www.nsfocus.net/vulndb/5963