search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Hummingbird CyberDOCS sets insecure permissions on script source code files

Vulnerability Note VU#989580

Original Release Date: 2003-10-09 | Last Revised: 2003-10-10

Overview

Hummingbird CyberDOCS running on Microsoft Internet Information Services (IIS) sets insecure permissions on script source code files. A remote attacker could read the contents of unprotected files.

Description

Hummingbird CyberDOCS (Hummingbird DM) is a web-based enterprise document management solution that runs on Windows NT/2000 using SQL database technology. CyberDOCS on IIS does not configure the web server to adequately restrict access to script source files.

Impact

An unauthenticated, remote attacker could read the script source code contained in files with insecure permissions. Script source code may contain sensitive information such as database credentials.

Solution

Modify IIS file permissions

According to Hummingbird:

    1. Start Internet Services Manager (IIS).
    2. Expand Default Web Site and select CyberDOCS.
    3. In the right-hand pane, select an unprotected file with the ".INC" extension.
    4. Right-click and select Properties.
    5. On the File tab, clear the check mark from the "Script source access," "Read," and "Write" options.
    6. Click OK to save the changes.
    7. Repeat steps 3 to 5 for all remaining unprotected "*.INC," "*.ASA," "*.LIC," "*.LOG," "*.Settings," and "*.BAK" files that should be protected.
    8. Repeat steps 3 to 6 for other sub-directories that also contain the above unprotected files.
    NOTE: This process will cause IIS to restart CyberDOCS resulting in all user sessions to be lost.

    Vendor Information

    989580
     
    Expand all

    Hummingbird Affected

    Notified:  September 18, 2003 Updated: October 10, 2003

    Status

    Affected

    Vendor Statement

    CyberDOCS - Potential to Access CyberDOCS Script Source Code

    Problem: In CyberDOCS (versions 3.5, 3.9, and 4.0), it is possible to access some CyberDOCS script source code via the browser.

    Resolution: To resolve this issue, perform the following steps:

      1. Start Internet Services Manager (IIS).
      2. Expand Default Web Site and select CyberDOCS.
      3. In the right-hand pane, select an unprotected file with the ".INC" extension.
      4. Right-click and select Properties.
      5. On the File tab, clear the check mark from the "Script source access," "Read," and "Write" options.
      6. Click OK to save the changes.
      7. Repeat steps 3 to 5 for all remaining unprotected "*.INC," "*.ASA," "*.LIC," "*.LOG," "*.Settings," and "*.BAK" files that should be protected.
      8. Repeat steps 3 to 6 for other sub-directories that also contain the above unprotected files.
      NOTE: This process will cause IIS to restart CyberDOCS resulting in all user sessions to be lost.

      Hummingbird recommends upgrading to the latest release of this product.

      Reference: SD017067

      Vendor Information

      The vendor has not provided us with any further information regarding this vulnerability.

      Addendum

      The CERT/CC has no additional comments at this time.

      If you have feedback, comments, or additional information about this vulnerability, please send us email.


      CVSS Metrics

      Group Score Vector
      Base
      Temporal
      Environmental

      References

      http://www.procheckup.com/security_info/vuln_pr0302.html

      Acknowledgements

      This vulnerability was discovered and reported by ProCheckUp.

      This document was written by Art Manion.

      Other Information

      CVE IDs: None
      Severity Metric: 1.08
      Date Public: 2003-10-06
      Date First Published: 2003-10-09
      Date Last Updated: 2003-10-10 13:29 UTC
      Document Revision: 21

      Sponsored by CISA.

      Download PGP Key

      Read CERT/CC Blog

      Learn about Vulnerability Analysis