OrbiTeam BSCW 'op' Parameter Information Disclosure Vulnerability Network Vulnerability

Summary

This host is installed with OrbiTeam BSCW and is prone to information disclosure vulnerability.

Impact

Successful exploitation will allow remote attackers to gain sensitive information by enumerating the names of all objects stored in BSCW without prior authentication. Impact Level: Application

Solution

Upgrade to OrbiTeam BSCW version 5.0.8 or later. For updates refer, http://www.bscw.de/english/product.html

Insight

The flaw exists as the program associates filenames of documents with values mapped from the 'op' parameter.

Affected

OrbiTeam BSCW before version 5.0.8

Detection

Send the crafted HTTP GET request and check is it possible to read the filename of a document.

References

http://packetstormsecurity.com/files/126551
http://seclists.org/bugtraq/2014/May/37
http://www.osvdb.com/106763
https://www.redteam-pentesting.de/en/advisories/rt-sa-2014-003

Updated on 2017-03-28

Severity

Classification

CVE CVE-2014-2301

CVSS	Base Score: 5.0 AV:N/AC:L/Au:N/C:P/I:N/A:N

Related Vulnerabilities

3Com NBX VoIP NetSet Detection
A Really Simple Chat Multiple XSS Vulnerabilities
Allaire JRun directory browsing vulnerability
Apache Tomcat NIO Connector Denial of Service Vulnerability
AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities

Take action and discover your vulnerabilities