Re: PR06-08: BEA Plumtree portal internal hostname disclosure vulnerability
I have verified this as well as PR06-09 and PR06-11 in version 6.1.0.240495.
On 1 Dec 2007 21:04:34 -0000, <research@xxxxxxxxxxxxxx> wrote:
> PR06-08: BEA Plumtree portal internal hostname disclosure vulnerability
>
>
> Description:
>
>
> BEA Plumtree portal is vulnerable to a internal hostname disclosure
> vulnerability.
>
>
> The internal hostname of the server hosting BEA Plumtree portal is always
> included at the bottom of every requested HTML page within HTML comments.
>
>
> Date Found: 12th September 2006
>
>
> Vendor contacted: 18th May 2007
>
>
> Vulnerable: BEA Plumtree 5.0.2, 5.0.3, 5.0.4, 6.0.1.218452 and possibly other
> versions.
>
>
> Severity: Low
>
>
> Authors: Adrian Pastor and Jan Fry from ProCheckUp Ltd (www.procheckup.com)
>
>
> ProCheckUp thanks BEA for working with us.
>
>
> Vendor Status: Confirmed
>
>
> CVE Candidate: Not assigned
>
>
> Proof of concept:
>
>
> The following is an example of the internal hostname of Plumtree server
> disclosed within HTML comments:
>
>
> <!--Hostname: websvr01-->
>
>
> Consequences:
>
>
> This information could be useful to a malicious user attempting to gain
> illegal access to resources on internal systems.
>
>
> By following internal hostname naming conventions, an attacker could predict
> other internal hostnames as well. For instance, if Plumtree portal is
> running on a server with an internal hostname of websvr01, an attacker could
> predict other internal hostnames such as websvr01, websvr02, websvr03 and
> so on.
>
>
> Fix:
>
>
> This has been addressed in AquaLogic Interaction 6.1. MP1. This can also be
> addressed by making config changes in ALUI 6.x versions.
>
>
> References:
>
>
> http://www.procheckup.com/Vulnerability_2007.php
>
> http://dev2dev.bea.com/pub/advisory/251
>
> http://www.plumtree.com/
>
>
>