STG Security Advisory: [SSA-20031025-05] InfronTech WebTide 7.04 Directory and File Disclosure Vulnerability

advisory_at_stgsecurity.com
Date: 10/29/03

  • Next message: itojun_at_iijlab.net: "possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI" 
    Date: 29 Oct 2003 01:19:41 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    STG Security Advisory: [SSA-20031025-05] InfronTech WebTide 7.04 Directory
    and File Disclosure Vulnerability

    Revision 1.0
    Date Published: 2003-10-25 (KST)
    Last Update: 2003-10-25
    Disclosed by SSR Team (advisory@stgsecurity.com)

    Abstract
    ========
    InfronTech's J2EE Web Application Server, WebTide, is a localized product of
    PowerTier 7.0 developed by Persistence Software. The WebTide has a
    vulnerability disclosing directories and files on a web server through a
    request.

    Vulnerability Class
    ===================
    Implementation Error: Inappropriate Implementation

    Details
    =======
    Being implemented inappropriately, the WebTide has a vulnerability
    disclosing directories and files on a web server through %3f.jsp request.

    This vulnerability revives following reports on the same vulnerability of
    other JSP engines without discrimination:

    http://lists.insecure.org/lists/vuln-dev/2001/Nov/0339.html
    http://www.securityfocus.com/advisories/3689

    Impact
    ======
    Directory and file disclosure

    Solution
    =========
    Upgrade to WebTide 7.05 or later

    Vulnerable Products
    ================
    WebTide 7.04 and prior

    Vendor Status: Notified
    =======================
    2003-10-13 Infrontech notified.
    2003-10-15 Second attempt to contact the vendor.
    2003-10-15 Vendor replied their new versions are not vulnerable.
    2003-10-15 SSR Team tested and confirmed.
    2003-10-23 Third attempt to contact the vendor.
    2003-10-25 Public disclosure.

    Credits
    ======
    Jeremy Bae at STG Security

    About STG Security
    =================
    STG Security Inc. is a affiliated company of STG Group which has its head
    office in the States founded in march 2000. Its core business area is
    professional penetration testing, security code review and BS7799 consulting
    services.

    http://www.stgsecurity.com/

    Phone +82-2-6333-4500
    FAX +82-2-6333-4545

  • Next message: itojun_at_iijlab.net: "possible issue with IPv4 mapped address and $REMOTE_ADDR in CGI"

    Relevant Pages