Vigil@nce: Sun Directory Server, file detection via help
April 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An attacker can use the help page of Sun Java System Directory
Server to detect if a file exists, and to see its first line.
Severity: 2/4
Consequences: data reading
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 16/04/2009
IMPACTED PRODUCTS
– Sun Java System Directory Server
– Sun ONE Directory Server
DESCRIPTION OF THE VULNERABILITY
The /manual/help/help script of Sun Java System Directory Server
displays help pages. For example:
http://server:390/manual/help/help?helpdir=...
If an attacker requests an invalid page, an error message is
displayed. However, this message varies depending on the file:
- if the file does not exist, the message is generic
- if the file exists, the message is specific, and can contain
the first line of the file.
An attacker can use the help page of Sun Java System Directory
Server to detect if a file exists, and to see its first line.
CHARACTERISTICS
Identifiers: 255848, 6492611, BID-34548, CVE-2009-1332,
VIGILANCE-VUL-8645
http://vigilance.fr/vulnerability/Sun-Directory-Server-file-detection-via-help-8645