Powerschool 404 Admin Exposure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Powerschool 404 Admin Exposure
From: gheetotank@xxxxxxxxxxx
Date: 19 Feb 2007 05:06:38 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Powerschool 4.3.6 and possibly other versions expose the admin interface when 
requesting any file with .js

This allows one to see some directory and file names inside the admin folder.

POC:

http://[powerschoolip]/admin/.js

Product's website does not provide email contact?

Prev by Date: Re: [SECURITY] [DSA 1259-1] New fetchmail packages fix information disclosure
Next by Date: iTunes remote memory corruption vulnerability
Previous by thread: Remote DoS in libevent DNS parsing <= 1.2a
Next by thread: Re: Powerschool 404 Admin Exposure
Index(es):
- Date
- Thread