CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#989580

Hummingbird CyberDOCS sets insecure permissions on script source code files

Overview

Hummingbird CyberDOCS running on Microsoft Internet Information Services (IIS) sets insecure permissions on script source code files. A remote attacker could read the contents of unprotected files.

I. Description

Hummingbird CyberDOCS (Hummingbird DM) is a web-based enterprise document management solution that runs on Windows NT/2000 using SQL database technology. CyberDOCS on IIS does not configure the web server to adequately restrict access to script source files.

II. Impact

An unauthenticated, remote attacker could read the script source code contained in files with insecure permissions. Script source code may contain sensitive information such as database credentials.

III. Solution

Modify IIS file permissions

According to Hummingbird:

  1. Start Internet Services Manager (IIS).
  2. Expand Default Web Site and select CyberDOCS.
  3. In the right-hand pane, select an unprotected file with the ".INC" extension.
  4. Right-click and select Properties.
  5. On the File tab, clear the check mark from the "Script source access," "Read," and "Write" options.
  6. Click OK to save the changes.
  7. Repeat steps 3 to 5 for all remaining unprotected "*.INC," "*.ASA," "*.LIC," "*.LOG," "*.Settings," and "*.BAK" files that should be protected.
  8. Repeat steps 3 to 6 for other sub-directories that also contain the above unprotected files.
NOTE: This process will cause IIS to restart CyberDOCS resulting in all user sessions to be lost.

Systems Affected
VendorStatusDate Updated
HummingbirdVulnerable10-Oct-2003

References


http://www.procheckup.com/security_info/vuln_pr0302.html

Credit

This vulnerability was discovered and reported by ProCheckUp.

This document was written by Art Manion.

Other Information

Date Public10/06/2003
Date First Published10/09/2003 06:04:24 PM
Date Last Updated10/10/2003
CERT Advisory 
CVE Name 
Metric1.08
Document Revision20

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2003 Carnegie Mellon University