exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

IRM Security Advisory 17

IRM Security Advisory 17
Posted Feb 26, 2006
Authored by IRM Research, IRM Advisories | Site irmplc.com

IRM Security Advisory No. 017 - PortalSE version 2.0 allows a remote attacker to read any file on the filesystem as it runs with root privileges by default. It is also susceptible to a directory revelation issue.

tags | advisory, remote, root
SHA-256 | f8316bbc40f81a1d40c3e902f0af3406d89e4ee05c47d023e44a90dfd9660f25

IRM Security Advisory 17

Change Mirror Download
----------------------------------------------------------------------
IRM Security Advisory No. 017

Multiple Vulnerabilities in Infovista Portal SE

Vulnerability Type / Importance: Directory Traversal / High
Information Leakage / Low

Problem Discovered: January 20th 2006
Vendor Contacted: January 20th 2006
Advisory Published: February 22nd 2006
----------------------------------------------------------------------

Abstract:

VistaPortal enables secure, browser-based access to service-centric
performance information. The easy implementation, display and design of
Portal-based dashboards and reports give accurate visibility into the
performance of the entire global IT infrastructure. VistaPortal allows users
to simultaneously view Key Performance Indicators (KPIs), real-time
performance notifications and strategic business information, from which
users can drill down to related real-time and historical reports residing in
VistaMart, the InfoVista Server and VistaTroubleshooter. VistaPortal
delivers rich, interactive content within a standards-based, open
architecture that allows seamless integration with existing applications and
easy incorporation of information into other Web Portals.
(http://www.infovista.com/products/product_list.asp#vistaportal)

Description:

PortalSE allows a remote attacker to read any file on the filesystem as it
runs with root privileges by default. It is also susceptible to a directory
revelation issue.

Technical Details:

During a recent research engagement IRM found multiple vulnerabilites in the
Infovista PortalSE software. Using specially crafted URLs it is possible to
read any file on the filesystem. This is due to the product running with
super-user privileges so it is possible to gain the system's password
hashes.

Additionally, when selecting a non-existent server in the server field then
the response reveals a full directory path, which can be useful to an
attacker in fingerprinting the underlying operating system and directory
structure: -

An error occured while accessing the report '<nonexistentserver>_31457':
No Such Report Generated For You

[-] Hide details

/opt/InfoVista/PortalSE/files/default/<nonexistentserver>/31457/report.html
(No such file or directory)
java.io.FileNotFoundException:
/opt/InfoVista/PortalSE/files/default/<nonexistentserver>/31457/report.html
(No such file or directory)

Vendor & Patch Information:

The vendor has released a hotfix for the directory traversal issue
(IV00038969) which should be applied. The vendor does not deem the
information leakage of the directory path an issue and has not released a
hotfix for this.

Tested Versions:

PortalSE 2.0 Build 20087 on Solaris 8

Credits:

Research & Advisory: P Robinson

Disclaimer:

All information in this advisory is provided on an 'as is' basis in the hope
that it will be useful. Information Risk Management Plc is not responsible
for any risks or occurrences caused by the application of this information.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close