Vigil@nce: ScreenOS, information disclosure via about.html
April 2009 by Vigil@nce
An attacker can request the about.html page of WebUI in order to
obtain information on the ScreenOS.
– Severity: 1/4
– Consequences: data reading
– Provenance: intranet client
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 27/04/2009
IMPACTED PRODUCTS
– NetScreen ScreenOS
DESCRIPTION OF THE VULNERABILITY
The access to the WebUI administration interface requires an
authentication.
However, the "about.html" page can be accessed without
authentication. Moreover, this page contains the version of the
ScreenOS.
A non authenticated attacker, who is allowed to connect to the web
server of WebUI, can therefore obtain information about the system.
CHARACTERISTICS
– Identifiers: BID-34710, VIGILANCE-VUL-8672
– Url: http://vigilance.fr/vulnerability/ScreenOS-information-disclosure-via-about-html-8672
To change your email preferences (frequency, severity threshold, format):
https://vigilance.fr/?action=2041549901&langue=2