Interchange < 5.4.4 / 5.6.2 / 5.7.2 Search Request Information Disclosure

medium Nessus Plugin ID 41056

Synopsis

The remote web server uses an application server that may be prone to an information disclosure vulnerability.

Description

The remote host appears to be running Interchange, an open source application server that handles state management, authentication, session maintenance, click trails, filtering, URL encodings, and security policy.

According to the banner in its administrative login page, the installed version of Interchange is earlier than 5.4.4 / 5.6.2 / 5.7.2. Such versions are potentially affected by an information disclosure vulnerability. Any database table configured within Interchange can be queried remotely by an unauthenticated user because the application fails to limit access from its search functions.

Solution

Upgrade to Interchange 5.4.4 / 5.6.2 / 5.7.2 or later.

See Also

http://ftp.icdevgroup.org/interchange/5.6/ANNOUNCEMENT-5.6.2.txt

http://www.icdevgroup.org/i/dev/news?mv_arg=00038

Plugin Details

Severity: Medium

ID: 41056

File Name: interchange_562.nasl

Version: 1.10

Type: remote

Family: CGI abuses

Published: 9/23/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/17/2009

Reference Information

BID: 36452

SECUNIA: 36716