search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Hummingbird CyberDOCS error page discloses web server installation path

Vulnerability Note VU#715548

Original Release Date: 2003-10-09 | Last Revised: 2003-10-10


Hummingbird CyberDOCS contains a vulnerability that could allow a remote attacker to learn the installation path of the web server. This information could be used to support further attacks.


Hummingbird CyberDOCS (Hummingbird DM) is a web-based enterprise document management solution that runs on Windows NT/2000 using SQL database technology. A web page generated on an invalid login attempt discloses the full installation path of the web server.


A remote attacker could determine the complete installation path of the CyberDOCS web server. The attacker may be able to use this information to support other attacks.


Apply a patch or upgrade

For CyberDOCS 4.0, apply Patch 4 from the CyberDOCS support site. For versions of CyberDOCS prior to 4.0, Hummingbird recommends that customers upgrade to the most recent version of CyberDOCS.

Vendor Information


Hummingbird Affected

Notified:  September 18, 2003 Updated: October 09, 2003



Vendor Statement

CyberDOCS - Potential to Reveal CyberDOCS Web Server Installation Path in Error Message

Problem: In CyberDOCS (versions 3.5.1, 3.9, and 4.0), it is possible to display the DM Web Server installation path in certain error messages when incorrect logon credentials are entered.

Resolution: This issue is resolved in CyberDOCS 4.0 Patch 4, which can be downloaded from Hummingbird's website at the following location:


Reference: SD017066

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



This vulnerability was discovered and reported by ProCheckUp.

This document was written by Art Manion.

Other Information

CVE IDs: None
Severity Metric: 0.27
Date Public: 2003-10-06
Date First Published: 2003-10-09
Date Last Updated: 2003-10-10 13:34 UTC
Document Revision: 15

Sponsored by CISA.