Mbedthis AppWeb HTTP TRACE Information Disclosure Vulnerability
TITLE: Mbedthis AppWeb HTTP TRACE Information Disclosure Vulnerability
CLASS: Access Validation Error
CVE: CVE-2007-3008
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 13 2007 12:00AM
UPDATE: Jun 13 2007 12:00AM
CREDIT: The vendor reported this issue.
VULNERABLE:
Mbedthis AppWeb 2.2.1NOT VULNERABLE:
Mbedthis AppWeb 2.2.2
Vai alla pagina originale su Security Focus
Discussion
Mbedthis AppWeb is prone to an information disclosure vulnerability.
The vulnerability presents itself because the server responds to the HTTP TRACE request by default.
Enabling HTTP TRACE functionality by default may allow an attacker to compromise user accounts by gaining access to sensitive header information. This issue may be combined with other attacks, such as cross-site scripting, to steal cookie-based authentication credentials.
Exploit
To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.
Solution
Solution:
The vendor released an update to address this issue. Please see the references for more information.
References
References:
- AppWeb HTTP Server Changelog (Mbedthis Software)
- Mbedthis AppWeb HTTP Server Homepage (Mbedthis Software)