search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Hummingbird CyberDOCS error page discloses web server installation path

Vulnerability Note VU#715548

Original Release Date: 2003-10-09 | Last Revised: 2003-10-10

Overview

Hummingbird CyberDOCS contains a vulnerability that could allow a remote attacker to learn the installation path of the web server. This information could be used to support further attacks.

Description

Hummingbird CyberDOCS (Hummingbird DM) is a web-based enterprise document management solution that runs on Windows NT/2000 using SQL database technology. A web page generated on an invalid login attempt discloses the full installation path of the web server.

Impact

A remote attacker could determine the complete installation path of the CyberDOCS web server. The attacker may be able to use this information to support other attacks.

Solution

Apply a patch or upgrade

For CyberDOCS 4.0, apply Patch 4 from the CyberDOCS support site. For versions of CyberDOCS prior to 4.0, Hummingbird recommends that customers upgrade to the most recent version of CyberDOCS.

Vendor Information

715548
 
Expand all

Hummingbird Affected

Notified:  September 18, 2003 Updated: October 09, 2003

Status

Affected

Vendor Statement

CyberDOCS - Potential to Reveal CyberDOCS Web Server Installation Path in Error Message

Problem: In CyberDOCS (versions 3.5.1, 3.9, and 4.0), it is possible to display the DM Web Server installation path in certain error messages when incorrect logon credentials are entered.

Resolution: This issue is resolved in CyberDOCS 4.0 Patch 4, which can be downloaded from Hummingbird's website at the following location:

<http://www.hummingbird.com/support/dkm/supportservices/Cyberdocs.html>

Reference: SD017066

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered and reported by ProCheckUp.

This document was written by Art Manion.

Other Information

CVE IDs: None
Severity Metric: 0.27
Date Public: 2003-10-06
Date First Published: 2003-10-09
Date Last Updated: 2003-10-10 13:34 UTC
Document Revision: 15

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis