Kiwi Syslog Server Information Disclosure Weakness And Vulnerability Network Vulnerability

Summary

Kiwi Syslog Server is prone to an information-disclosure weakness and vulnerability. 1) The weakness is due to the Web Access login page displaying different messages when invalid usernames or passwords are submitted. This can be exploited to enumerate user accounts. 2) A security issue is due to the Cassini Explorer of the embedded UltiDev Cassini Web Server being enabled. This can be exploited to access the administrative interface and e.g. disclose the content of local files by registering a new application. An attacker can exploit these vulnerabilities to obtain information that may aid in further attacks. Kiwi Syslog Server 9.0.3 is vulnerable other versions may also be affected.

References

http://www.kiwisyslog.com/kiwi-syslog-server-overview/
http://www.securityfocus.com/bid/37282

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability
123 Flash Chat Multiple Security Vulnerabilities
Aker Secure Mail Gateway Cross-Site Scripting Vulnerability
2532|Gigs Directory Traversal And SQL Injection Multiple Vulnerabilities
3Com NBX VoIP NetSet Detection

Kiwi Syslog Server Information Disclosure Weakness and Vulnerability

Take action and discover your vulnerabilities