Powerschool Javascript File Request Information Disclosure Vulnerability

Bugtraq ID:	22611
Class:	Input Validation Error
CVE:	CVE-2007-1044
Remote:	Yes
Local:	No
Published:	Feb 19 2007 12:00AM
Updated:	May 12 2015 07:34PM
Credit:	[email protected] reported this issue.
Vulnerable:	Pearson Education PowerSchool 5.1.2 Pearson Education PowerSchool 4.3.6
Not Vulnerable:

Powerschool Javascript File Request Information Disclosure Vulnerability

Powerschool is prone to an information-disclosure vulnerability because the application discloses information about administrative session variables.

An attacker can exploit these issue to obtain sensitive information that may aid in other attacks.

This issue affects Powerschool 4.3.6; other versions may also be affected.

UPDATE: Powerschool 5.1.2 is also reportedly affected by this issue, in a limited fashion.

Powerschool Javascript File Request Information Disclosure Vulnerability

An attacker can exploit this issue by using a browser.

The following proof of concept is available:

http://www.example.com/admin/.js

Powerschool Javascript File Request Information Disclosure Vulnerability

Solution:
Currently we are not aware of any solutions for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Powerschool Javascript File Request Information Disclosure Vulnerability

References:

• Powerschool Homepage (Pearson Education )
  
• Powerschool 404 Admin Exposure ([email protected])
  
• Re: Powerschool 404 Admin Exposure ([email protected])