-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake, Inc. www.atstake.com Security Advisory Advisory Name: Vignette Application Portal Unauthenticated Diagnostics Release Date: 09-28-2004 Application: Vignette Application Portal Platform: Multiple Severity: Unauthenticated diagnostic functionality and information disclosure Author: Cory Scott Vendor Status: Vendor has published remediation advice CVE Candidate: CAN-2004-0917 Reference: www.atstake.com/research/advisories/2004/a092804-1.txt Overview: Vignette Application Portal is a portal framework that runs on a variety of application servers and platforms. As part of the deployed framework, there is a diagnostic utility that discloses significant detail on the configuration of the application server, operating system, and Vignette application. The diagnostic utility, which is installed by default, exposes details such as application server and operating system version, database connection parameters, and bean IDs that are used for access to Vignette portal resources. In the default installation of the Vignette software, the utility is not secured against anonymous and unauthenticated access. Since many portal deployments are on the Internet or exposed to untrusted networks, this results in an information disclosure vulnerability. Vignette documentation does not give deployment advice to either alert administrators to the diagnostic utility's exposure or to restrict access to the utility. In addition, the utility performs a set of diagnostic checks that results in system load and outbound network connections to test portal functionality. Details: To access the diagnostic utility, a user makes a web request to /portal/diag/ Vendor Response: After notification by @stake, Vignette published a knowledge base article (KB 6947) with remediation advice. It is accessible by Vignette customers only. Recommendation: Restrict access to the diag directory on the web server or application server. Ultimately, it would make sense for Vignette to authenticate user requests to the diagnostic utility and implement access control. Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CAN-2004-0917 Vignette Application Portal Unauthenticated Diagnostics @stake Vulnerability Reporting Policy: http://www.atstake.com/research/policy/ @stake Advisory Archive: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2004 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 8.0.3 iQA/AwUBQVlzF0e9kNIfAm4yEQLJjwCcDEFnnacQTF/IOQJTFm3jNZqx4d4AnRZa W5HemU39ASDoyjnwrbmTQmvU =ZeJY -----END PGP SIGNATURE-----