Nokia Intellisync Mobile Suite Tomcat server source code disclosure

nokia-tomcat-source-code-disclosure (34183) The risk level is classified as LowLow Risk

Description:

Nokia's Intellisync Mobile Suite could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the bundled Apache Tomcat server. An attacker could exploit this vulnerability to view directory listings and cause the script's source code to be displayed.

Note: Nokia Intellisync Wireless Email Express is partially affected by this vulnerability.

Platforms Affected:

  • Apache, Tomcat 5.0.25
  • Nokia, Groupwise Mobile Server
  • Nokia, Intellisync Mobile Suite 6.4.31.2
  • Nokia, Intellisync Mobile Suite 6.6.0.107
  • Nokia, Intellisync Mobile Suite 6.6.2.2
  • Nokia, Intellisync Wireless Email Express

Remedy:

Upgrade to GroupWise Mobile Server version 2, available from the Nokia Web site. See References.

Consequences:

Obtain Information

References:

  • Nokia Web site, Intellisync Mobile Suite at http://usa.nokia.com/A4179208.
  • SEC Consult Security Advisory 20070509-0 , Multiple vulnerabilites in Nokia Intellisync Mobile Suite / Wireless Email Express (Information / Source Code Disclosure, Cross Site Scripting, Denial of Service) at http://www.sec-consult.com/289.html.
  • CVE-2007-2590: Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allows remote attackers to obtain user names and other sensitive information via a direct request to (1) usrmgr/userList.asp or (2) usrmgr/userStatusList.asp.
  • SA25212: Nokia Intellisync Mobile Suite Multiple Vulnerabilities
  • VUPEN/ADV-2007-1727: Nokia Intellisync Mobile Suite Information Disclosure and Denial of Service Issues

Reported:

May 09, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page