Vulnerability Note VU#989580

Hummingbird CyberDOCS sets insecure permissions on script source code files

Original Release date: 09 Oct 2003 | Last revised: 10 Oct 2003


Hummingbird CyberDOCS running on Microsoft Internet Information Services (IIS) sets insecure permissions on script source code files. A remote attacker could read the contents of unprotected files.


Hummingbird CyberDOCS (Hummingbird DM) is a web-based enterprise document management solution that runs on Windows NT/2000 using SQL database technology. CyberDOCS on IIS does not configure the web server to adequately restrict access to script source files.


An unauthenticated, remote attacker could read the script source code contained in files with insecure permissions. Script source code may contain sensitive information such as database credentials.


Modify IIS file permissions

According to Hummingbird:

  1. Start Internet Services Manager (IIS).
  2. Expand Default Web Site and select CyberDOCS.
  3. In the right-hand pane, select an unprotected file with the ".INC" extension.
  4. Right-click and select Properties.
  5. On the File tab, clear the check mark from the "Script source access," "Read," and "Write" options.
  6. Click OK to save the changes.
  7. Repeat steps 3 to 5 for all remaining unprotected "*.INC," "*.ASA," "*.LIC," "*.LOG," "*.Settings," and "*.BAK" files that should be protected.
  8. Repeat steps 3 to 6 for other sub-directories that also contain the above unprotected files.
NOTE: This process will cause IIS to restart CyberDOCS resulting in all user sessions to be lost.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
HummingbirdAffected17 Sep 200310 Oct 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was discovered and reported by ProCheckUp.

This document was written by Art Manion.

Other Information

  • CVE IDs: Unknown
  • Date Public: 06 Oct 2003
  • Date First Published: 09 Oct 2003
  • Date Last Updated: 10 Oct 2003
  • Severity Metric: 1.08
  • Document Revision: 20


If you have feedback, comments, or additional information about this vulnerability, please send us email.