3Com TippingPoint SMS Server management interface information disclosure

tippingpoint-sms-information-disclosure (26338) The risk level is classified as LowLow Risk

Description:

3Com TippingPoint SMS (Security Management System) Server could allow a remote attacker to obtain sensitive information, caused by insecure permissions on certain Web management interface directories. An attacker could exploit this vulnerability to bypass authentication and obtain sensitive information, including configuration information if the vulnerable device was being used for backup purposes.


Consequences:

Obtain Information

Remedy:

Upgrade to the latest version of TippingPoint SMS Server (2.2.1.4478 or later), as listed in 3Com Security Alert: 3COM-06-002. See References.

References:

  • 3Com Security Alert: 3COM-06-002 : TippingPoint¿ SMS Information Disclosure.
  • ZDI-06-013: 3Com TippingPoint SMS Server Information Disclosure Vulnerability.
  • BID-17935: 3Com TippingPoint SMS Information Disclosure Vulnerability
  • CVE-2006-0993: The web management interface in 3Com TippingPoint SMS Server before 2.2.1.4478 does not restrict access to certain directories, which might allow remote attackers to obtain potentially sensitive information such as configuration settings.
  • OSVDB ID: 25360: 3Com TippingPoint SMS Server Permission Weakness Remote Information Disclosure
  • SA20058: 3Com TippingPoint SMS Server Information Disclosure
  • SECTRACK ID: 1016051: TippingPoint SMS Server May Disclose Potentially Sensitive Information to Remote Users

Platforms Affected:

  • 3Com TippingPoint SMS Server 2.2.1.4477

Reported:

May 09, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page