Hummingbird CyberDocs DocsFusion server invalid login attempt information disclosure

hummingbird-docsfusionserver-disclose-path (13398)

Medium Risk

Description:

Hummingbird CyberDocs DocsFusion server could allow a remote attacker to obtain sensitive information. A remote attacker could attempt to login using invalid credentials, causing the server to return an error that discloses installation path information.

Platforms Affected:

• Hummingbird, CyberDOCS 3.5.1
• Hummingbird, CyberDOCS 3.9
• Hummingbird, CyberDOCS 4.0

Remedy:

For Hummingbird CyberDocs DocsFusion server versions 4.0:
Apply the appropriate patch for your system (Patch 4 or later), available from the Hummingbird Ltd. Web page. See References.

For Hummingbird CyberDocs DocsFusion server version prior to 4.0:
Upgrade to the latest version of Hummingbird (version 4.0), and apply the appropriate patch for your system (Patch 4 or later), available from the Hummingbird Ltd. Web page. See References.

Consequences:

Obtain Information

References:

• Hummingbird Web site, Hummingbird Ltd. Support - CyberDOCS 4.0 Downloads & Patches at http://www.hummingbird.com/support/dkm/supportservices/Cyberdocs.html.
• ProCheckUp Security Bulletin PR03-03, Hummingbird CyberDocs DocsFusion server version 4.0 and prior DocsFusion Webroot disclosure vulnerability. at http://www.procheckup.com/security_info/vuln_pr0303.html.
• BID-8816: Hummingbird CyberDOCS Path Disclosure Vulnerability
• CVE-2003-1101: Hummingbird CyberDOCS 3.5.1, 3.9, and 4.0 allows remote attackers to obtain the full path of the DM Web Server via invalid login credentials, which reveals the path in an error message.
• SA9985: CyberDOCS Multiple Vulnerabilities
• US-CERT VU#715548: Hummingbird CyberDOCS error page discloses web server installation path

Reported:

Oct 09, 2003

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page