Cisco Content Services Switch Directory Structure File Reading Vulnerability
BID:2331
Info
Cisco Content Services Switch Directory Structure File Reading Vulnerability
| Bugtraq ID: | 2331 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 31 2001 12:00AM |
| Updated: | Jan 31 2001 12:00AM |
| Credit: | This vulnerability was announced to Bugtraq in a Cisco Security Advisory dated January 31, 2001. It was initially discovered by Ollie Whitehouse <[email protected]>. |
| Vulnerable: |
Cisco WebNS 4.0.1 Cisco WebNS 4.0 Cisco WebNS 3.1 Cisco WebNS 3.0 |
| Not Vulnerable: | |
Discussion
Cisco Content Services Switch Directory Structure File Reading Vulnerability
The Cisco Content Services (CSS) switches are hardware designed to provide enhanced web services for e-commerece and Web Content delivery using the Cisco Web Network Services (Web NS). The CSS switch is distributed by Cisco Systems.
A problem with the WebNS software could allow a local user access to restricted resources. CSS switches allow users access to certain functions on the switch, while enforcing access control to prevent the reading and change of configuration on the switch. Due to a problem in the handling of input, it is possible for a user to gain information on the structure of the directory by executing commands requesting non-existent filenames. Once the structure of the directory is know, it is then possible to read files within the directory.
This problem makes it possible for a malicious local user to map the directory tree, and read files that may contain sensitive information.
The Cisco Content Services (CSS) switches are hardware designed to provide enhanced web services for e-commerece and Web Content delivery using the Cisco Web Network Services (Web NS). The CSS switch is distributed by Cisco Systems.
A problem with the WebNS software could allow a local user access to restricted resources. CSS switches allow users access to certain functions on the switch, while enforcing access control to prevent the reading and change of configuration on the switch. Due to a problem in the handling of input, it is possible for a user to gain information on the structure of the directory by executing commands requesting non-existent filenames. Once the structure of the directory is know, it is then possible to read files within the directory.
This problem makes it possible for a malicious local user to map the directory tree, and read files that may contain sensitive information.
Exploit / POC
Cisco Content Services Switch Directory Structure File Reading Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
Cisco Content Services Switch Directory Structure File Reading Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Cisco Content Services Switch Directory Structure File Reading Vulnerability
References:
References: