Re: PR06-08: BEA Plumtree portal internal hostname disclosure vulnerability

["guiness.stout" <guinness.stout () gmail com>]

I have verified this as well as PR06-09 and PR06-11 in version 6.1.0.240495.

On 1 Dec 2007 21:04:34 -0000, <research () procheckup com> wrote:
> PR06-08: BEA Plumtree portal internal hostname disclosure vulnerability
>
>
> Description:
>
>
> BEA Plumtree portal is vulnerable to a internal hostname disclosure vulnerability.
>
>
> The internal hostname of the server hosting BEA Plumtree portal is always included at the bottom of every requested 
> HTML page within HTML comments.
>
>
> Date Found: 12th September 2006
>
>
> Vendor contacted: 18th May 2007
>
>
> Vulnerable: BEA Plumtree 5.0.2, 5.0.3, 5.0.4, 6.0.1.218452 and possibly other versions.
>
>
> Severity: Low
>
>
> Authors: Adrian Pastor and Jan Fry from ProCheckUp Ltd (www.procheckup.com)
>
>
> ProCheckUp thanks BEA for working with us.
>
>
> Vendor Status: Confirmed
>
>
> CVE Candidate: Not assigned
>
>
> Proof of concept:
>
>
> The following is an example of the internal hostname of Plumtree server disclosed within HTML comments:
>
>
> <!--Hostname: websvr01-->
>
>
> Consequences:
>
>
> This information could be useful to a malicious user attempting to gain illegal access to resources on internal 
> systems.
>
>
> By following internal hostname naming conventions, an attacker could predict other internal hostnames  as well. For 
> instance, if Plumtree portal is running on a server with an internal hostname of websvr01, an attacker could predict 
> other internal  hostnames such as websvr01, websvr02, websvr03 and  so on.
>
>
> Fix:
>
>
> This has been addressed in AquaLogic Interaction 6.1. MP1. This can also be addressed by making config changes in 
> ALUI 6.x versions.
>
>
> References:
>
>
> http://www.procheckup.com/Vulnerability_2007.php
>
> http://dev2dev.bea.com/pub/advisory/251
>
> http://www.plumtree.com/