Notified:  September 18, 2003 Updated: October 10, 2003

Status

Affected

Vendor Statement

CyberDOCS - Potential to Access CyberDOCS Script Source Code Problem: In CyberDOCS (versions 3.5, 3.9, and 4.0), it is possible to access some CyberDOCS script source code via the browser. Resolution: To resolve this issue, perform the following steps: Start Internet Services Manager (IIS). Expand Default Web Site and select CyberDOCS. In the right-hand pane, select an unprotected file with the ".INC" extension. Right-click and select Properties. On the File tab, clear the check mark from the "Script source access," "Read," and "Write" options. Click OK to save the changes. Repeat steps 3 to 5 for all remaining unprotected "*.INC," "*.ASA," "*.LIC," "*.LOG," "*.Settings," and "*.BAK" files that should be protected. Repeat steps 3 to 6 for other sub-directories that also contain the above unprotected files. NOTE: This process will cause IIS to restart CyberDOCS resulting in all user sessions to be lost. Hummingbird recommends upgrading to the latest release of this product. Reference: SD017067

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.