Cognos Powerplay WE Multiple Information Disclosure Vulnerabilities

medium Nessus Plugin ID 10187

Synopsis

A CGI is affected by information disclosure vulnerabilities.

Description

The CGI script ppdscgi.exe, part of the PowerPlay Web Edition package, is installed.

Due to design problems as well as some potential web server misconfiguration PowerPlay Web Edition may serve up data cubes in a non-secure manner. Execution of the PowerPlay CGI pulls cube data into files in an unprotected temporary directory.

Those files are then fed back to frames in the browser. In some cases it is trivial for an unauthenticated user to tap into those data files before they are purged.

Solution

Cognos doesn't consider this problem as being an issue, so they do not provide any solution.

See Also

https://marc.info/?l=bugtraq&m=93059255403868&w=2

Plugin Details

Severity: Medium

ID: 10187

File Name: powerplay.nasl

Version: 1.34

Type: remote

Family: CGI abuses

Published: 7/9/1999

Updated: 1/19/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Information

Required KB Items: Settings/ParanoidReport

Exploit Available: true

Exploit Ease: No exploit is required

Vulnerability Publication Date: 6/28/1999

Reference Information

BID: 491