GE Fanuc Proficy Information Portal HTTP Basic Authentication Information Disclosure Vulnerability

Bugtraq ID:	30754
Class:	Design Error
CVE:	CVE-2008-0174
Remote:	Yes
Local:	No
Published:	Jan 25 2008 12:00AM
Updated:	Nov 10 2008 04:45PM
Credit:	C4
Vulnerable:	GE Fanuc Proficy Real-Time Information Portal 2.6
Not Vulnerable:

GE Fanuc Proficy Information Portal HTTP Basic Authentication Information Disclosure Vulnerability

GE Fanuc Proficy Information Portal is prone to an information-disclosure vulnerability because the application transmits user authentication credential using HTTP basic authentication.

An attacker can exploit this issue to obtain sensitive information, such as user authentication credentials. Information obtained may lead to further attacks.

GE Fanuc Proficy Information Portal 2.6 is vulnerable; other versions may also be affected.

GE Fanuc Proficy Information Portal HTTP Basic Authentication Information Disclosure Vulnerability

An attacker can use readily available network utilities to exploit this issue.

The following exploit code for the Metasploit Framework is available:

• /data/vulnerabilities/exploits/30754.rb

GE Fanuc Proficy Information Portal HTTP Basic Authentication Information Disclosure Vulnerability

Solution:
The vendor has released updates. Please contact the vendor for details.

GE Fanuc Proficy Information Portal HTTP Basic Authentication Information Disclosure Vulnerability

References:

• Proficy Information Portal Homepage (GE Fanuc)
  
• C4 Security Advisory - GE Fanuc Proficy Information Portal 2.6 Authentication Vu ("Eyal Udassin" )
  
• KB12459 (GE Fanuc)