Hummingbird CyberDocs DocsFusion server files containing source script code can be accessed
| hummingbird-docsfusionserver-file-access (13397) |  Medium Risk |
Description:
Hummingbird CyberDocs DocsFusion server, running on Microsoft Internet Information Services (IIS), could allow a remote attacker to obtain sensitive information, caused by insecure permissions. A remote attacker could access source files that contain source code to obtain sensitive information.
Platforms Affected:
- Hummingbird, CyberDOCS 3.5
- Hummingbird, CyberDOCS 3.9
- Hummingbird, CyberDOCS 4.0
Remedy:
No remedy available as of October 2003.
As a workaround, modify the IIS file permissions, as listed in CERT Vulnerability Note VU#989580. See References.
Consequences:
Obtain Information
References:
- ProCheckUp Security Bulletin PR03-02, Hummingbird CyberDocs DocsFusion server 2.12 and prior program source code reading vulnerability at http://www.procheckup.com/security_info/vuln_pr0302.html.
- CVE-2003-1102: Hummingbird CyberDOCS 3.5, 3.9, and 4.0, when running on IIS, uses insecure permissions for script source code files, which allows remote attackers to read the source code.
- SA9985: CyberDOCS Multiple Vulnerabilities
- US-CERT VU#989580: Hummingbird CyberDOCS sets insecure permissions on script source code files
Reported:
Oct 09, 2003
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net