Modular Site Management System (MSMS) 'ver.asp' May Disclose System Information to Remote Users
|
|
SecurityTracker Alert ID: 1009929
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 23 2004
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 0.2.1
|
Description: CyberTal0n reported an information disclosure vulnerability in Modular Site Management System (MSMS). A remote user can determine information about the server.
It is reported that a remote user can invoke the 'ver.asp' file to cause the system to display potentially sensitive information about the server's configuration.
A demonstration exploit URL is provided:
http://[target]/msms/ver.asp
|
Impact: A remote user can view certain system and application configuration information.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.pwnewmedia.co.uk/site/msmsfamily/ (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 23 Apr 2004 17:00:07 -0400
Subject: MSMS 0.2.1 lets remote users view sensitive details about the server
|
MSMS 0.2.1 lets remote users view sensitive details about the server
Found by: CyberTalon
1. Problem
2. Exploit
3. Info
1. MSMS 0.2.1 Portal has a file accessable remotely by users that displays sensitive
details about the server and software's configuration and such. The file is msms/ver.asp.
2. www.site.com/msms/ver.asp
3. Vendor URL: www.pwnewmedia.co.uk/msmsfamily
-C
|
|
