I have verified this as well as PR06-09 and PR06-11 in version 6.1.0.240495. On 1 Dec 2007 21:04:34 -0000, <research@xxxxxxxxxxxxxx> wrote: > PR06-08: BEA Plumtree portal internal hostname disclosure vulnerability > > > Description: > > > BEA Plumtree portal is vulnerable to a internal hostname disclosure vulnerability. > > > The internal hostname of the server hosting BEA Plumtree portal is always included at the bottom of every requested HTML page within HTML comments. > > > Date Found: 12th September 2006 > > > Vendor contacted: 18th May 2007 > > > Vulnerable: BEA Plumtree 5.0.2, 5.0.3, 5.0.4, 6.0.1.218452 and possibly other versions. > > > Severity: Low > > > Authors: Adrian Pastor and Jan Fry from ProCheckUp Ltd (www.procheckup.com) > > > ProCheckUp thanks BEA for working with us. > > > Vendor Status: Confirmed > > > CVE Candidate: Not assigned > > > Proof of concept: > > > The following is an example of the internal hostname of Plumtree server disclosed within HTML comments: > > > <!--Hostname: websvr01--> > > > Consequences: > > > This information could be useful to a malicious user attempting to gain illegal access to resources on internal systems. > > > By following internal hostname naming conventions, an attacker could predict other internal hostnames as well. For instance, if Plumtree portal is running on a server with an internal hostname of websvr01, an attacker could predict other internal hostnames such as websvr01, websvr02, websvr03 and so on. > > > Fix: > > > This has been addressed in AquaLogic Interaction 6.1. MP1. This can also be addressed by making config changes in ALUI 6.x versions. > > > References: > > > http://www.procheckup.com/Vulnerability_2007.php > > http://dev2dev.bea.com/pub/advisory/251 > > http://www.plumtree.com/ > > >
