PR06-01: SiteScape Forum webroot disclosure

Date found: 23rd January 2006

Vulnerable: 7.2 and possibly earlier versions.

Severity: Low

CVE Candidate: CVE-2006-2677

Credits: Richard Brain of ProCheckUp Ltd (www.procheckup.com)

Description:

The SiteScape Forum configuration file 'avf.rc' discloses the server's webroot.

REQUEST:

https://[target]/forum/avf.rc

RESULT:

The 'avf.rc' file is downloaded:

Contents e.g.

Wgw_BaseDirectory D:/SSF

Consequences:

If exploited, this can lead to information being disclosed that may be valuable to a malicious person.

Fix:

Please contact SiteScape to obtain the necessary patches.

References:

http://www.procheckup.com/Vulnerability_2006.php
http://www.sitescape.com

Legal:

Copyright 2007 ProCheckUp Ltd.

All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp indicating this web page URL, and provided such reproduction and/or distribution is performed for non-commercial purposes.

Any other use of this information is prohibited.

ProCheckUp is not liable for any misuse of this information by any third party. ProCheckUp is not responsible for the content of external Internet sites.