Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 017

Multiple Vulnerabilities in Infovista Portal SE

Vulnerability Type / Importance: Directory Traversal / High
Information Leakage / Low

Problem Discovered: January 20th 2006
Vendor Contacted: January 20th 2006
Advisory Published: February 21st 2006

----------------------------------------------------------------------

Abstract:

VistaPortal enables secure, browser-based access to service-centric performance information. The easy implementation, display and design of Portal-based dashboards and reports give accurate visibility into the performance of the entire global IT infrastructure. VistaPortal allows users to simultaneously view Key Performance Indicators (KPIs), real-time performance notifications and strategic business information, from which users can drill down to related real-time and historical reports residing in VistaMart, the InfoVista Server and VistaTroubleshooter. VistaPortal delivers rich, interactive content within a standards-based, open architecture that allows seamless integration with existing applications and easy incorporation of information into other Web Portals. (http://www.infovista.com/products/product_list.asp#vistaportal)

Description:

PortalSE allows a remote attacker to read any file on the filesystem as it runs with root privileges by default. It is also susceptible to a directory revelation issue.

Technical Details:

During a recent research engagement IRM found multiple vulnerabilites in the
Infovista PortalSE software. Using specially crafted URLs it is possible to
read any file on the filesystem. This is due to the product running with super-user privileges so it is possible to gain the system's password hashes.

Additionally, when selecting a non-existent server in the server field then the response reveals a full directory path, which can be useful to an attacker in fingerprinting the underlying operating system and directory structure: -

An error occured while accessing the report '<nonexistentserver>_31457':
No Such Report Generated For You

[-] Hide details

/opt/InfoVista/PortalSE/files/default/<nonexistentserver>/31457/report.html
(No such file or directory)
java.io.FileNotFoundException:
/opt/InfoVista/PortalSE/files/default/<nonexistentserver>/31457/report.html
(No such file or directory)

Vendor & Patch Information:

The vendor has released a hotfix for the directory traversal issue (IV00038969) which should be applied. The vendor does not deem the information leakage of the directory path an issue and has not released a hotfix for this.

Tested Versions:

PortalSE 2.0 Build 20087 on Solaris 8

Credits:

Research & Advisory: P Robinson

Disclaimer:

All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.