Maximo Self Service information disclosure
| maximo-information-disclosure (20452) |  Medium Risk |
Description:
Maximo could allow a remote attacker to obtain sensitive information caused by improper protection of files in the Self Service application. A remote attacker using the Tomcat server could exploit this vulnerability to obtain sensitive information, such as user passwords.
Consequences:
Obtain Information
Remedy:
No remedy available as of July 9, 2011.
References:
- Maximo Web page: Maximo / Overview.
- BID-13508: MRO Maximo Unauthorized Script Disclosure Vulnerability
- CVE-2005-1601: MRO Maximo Self Service 4 and 5 stores certain information under the web document root using file extensions that are not processed by Tomcat, which allows remote attackers to obtain sensitive information via a direct request for the file, such as MXServer.properties.
- OSVDB ID: 16161: MRO Maximo Nonexecutable File Remote Disclosure
- SA15176: MRO Maximo Disclosure of Sensitive Information
Platforms Affected:
- IBM Maximo 4
- IBM Maximo 5
Reported:
May 09, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net