Title: ScreamingMedia SiteWare File Disclosure Vulnerability
Severity: HIGH
Description:
ScreamingMedia SiteWare is a web server designed to assist in the editing and publishing of various forms of web site content. SiteWare includes a feature called Editor's Desk. This feature is a web based content-publishing tool designed to assist user's in the preperation of various content.
Due to a flaw in SiteWare Editor's Desk, it is possible for a user to gain read access of known files residing in the 'SITEWare/threads/Editor' directory of a host. This is accomplished by crafting a URL containing double dot '../' sequences along with the relative path to a known file.
Sensitive information in files (such as database usernames and passwords) may be disclosed to attackers. Vulnerabilities present in scripts may also be revealed if the source code is disclosed. This may facilitate further attacks against the server.
Affected Products:
- Screaming Media SiteWare 2.5.0
- Screaming Media SiteWare 2.5.001
- Screaming Media SiteWare 3.0.0
- Screaming Media SiteWare 3.0.01
- Screaming Media SiteWare 3.0.02
- Screaming Media SiteWare 3.1.0
References:
- ScreamingMedia: Screaming Media Website
- ScreamingMedia: Vulnerability in SiteWare Web Root — SMS1001
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
