search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Hummingbird CyberDOCS sets insecure permissions on script source code files

Vulnerability Note VU#989580

Original Release Date: 2003-10-09 | Last Revised: 2003-10-10

Overview

Hummingbird CyberDOCS running on Microsoft Internet Information Services (IIS) sets insecure permissions on script source code files. A remote attacker could read the contents of unprotected files.

Description

Hummingbird CyberDOCS (Hummingbird DM) is a web-based enterprise document management solution that runs on Windows NT/2000 using SQL database technology. CyberDOCS on IIS does not configure the web server to adequately restrict access to script source files.

Impact

An unauthenticated, remote attacker could read the script source code contained in files with insecure permissions. Script source code may contain sensitive information such as database credentials.

Solution

Modify IIS file permissions

According to Hummingbird:

    1. Start Internet Services Manager (IIS).
    2. Expand Default Web Site and select CyberDOCS.
    3. In the right-hand pane, select an unprotected file with the ".INC" extension.
    4. Right-click and select Properties.
    5. On the File tab, clear the check mark from the "Script source access," "Read," and "Write" options.
    6. Click OK to save the changes.
    7. Repeat steps 3 to 5 for all remaining unprotected "*.INC," "*.ASA," "*.LIC," "*.LOG," "*.Settings," and "*.BAK" files that should be protected.
    8. Repeat steps 3 to 6 for other sub-directories that also contain the above unprotected files.
    NOTE: This process will cause IIS to restart CyberDOCS resulting in all user sessions to be lost.

    Vendor Information

    989580
     

    CVSS Metrics

    Group Score Vector
    Base
    Temporal
    Environmental

    References

    Acknowledgements

    This vulnerability was discovered and reported by ProCheckUp.

    This document was written by Art Manion.

    Other Information

    CVE IDs: None
    Severity Metric: 1.08
    Date Public: 2003-10-06
    Date First Published: 2003-10-09
    Date Last Updated: 2003-10-10 13:29 UTC
    Document Revision: 21

    Sponsored by CISA.