Nokia Intellisync Mobile Suite Tomcat server source code disclosure
| nokia-tomcat-source-code-disclosure (34183) |
Description:
Nokia's Intellisync Mobile Suite could allow a remote attacker to obtain sensitive information, caused by an unspecified vulnerability in the bundled Apache Tomcat server. An attacker could exploit this vulnerability to view directory listings and cause the script's source code to be displayed.
Note: Nokia Intellisync Wireless Email Express is partially affected by this vulnerability.
*CVSS:
| Base Score: | 3.5 |
| Access Vector: | Remote |
| Access Complexity: | Low |
| Authentication: | Not Required |
| Confidentiality Impact: | Partial |
| Integrity Impact: | None |
| Availability Impact: | None |
| Temporal Score: | 2.6 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Obtain Information
Remedy:
Upgrade to GroupWise Mobile Server version 2, available from the Nokia Web site. See References.
References:
- Nokia Web site: Intellisync Mobile Suite.
- SEC Consult Security Advisory 20070509-0 : Multiple vulnerabilites in Nokia Intellisync Mobile Suite / Wireless Email Express (Information / Source Code Disclosure, Cross Site Scripting, Denial of Service) .
- CVE-2007-2590: Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allows remote attackers to obtain user names and other sensitive information via a direct request to (1) usrmgr/userList.asp or (2) usrmgr/userStatusList.asp.
- SA25212: Nokia Intellisync Mobile Suite Multiple Vulnerabilities
- VUPEN/ADV-2007-1727: Nokia Intellisync Mobile Suite Information Disclosure and Denial of Service Issues
Platforms Affected:
- Apache Tomcat 5.0.25
- Nokia Groupwise Mobile Server
- Nokia Intellisync Mobile Suite 6.4.31.2
- Nokia Intellisync Mobile Suite 6.6.0.107
- Nokia Intellisync Mobile Suite 6.6.2.2
- Nokia Intellisync Wireless Email Express
Reported:
May 09, 2007
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net
* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
