Home page logo

bugtraq logo Bugtraq mailing list archives

Xerox DocuShare Internal IP address disclosure
From: "Ryan Purita" <ryan () totally-connected com>
Date: Thu, 3 Oct 2002 12:04:19 -0700

According to the Xerox Corporate Website:
                                        DocuShare lets team members use your corporate intranet or extranet to set up a 
virtual information-sharing environment. Here, users can easily post, retrieve, and search for information that resides 
in familiar nested folders. And they can adapt DocuShare to suit the specific needs of any workgroup or project. 
                                        DocuShare gives you instant and controlled access to information. Read and 
write permission rights are granted and maintained by the workgroup itself. There's no need for a Webmaster to convert 
documents to HTML or PDF before posting or updating information. And users can see at a glance which documents are new 
and revised. 
By default, anonymous users can create an account or group and upload files at will. Aside from uploading a malicious 
HTML document, and potentially exposing unknowing users, the internal IP address of the server running DocuShare can 
also be revealed. 
Using the Upload Helper Utility, it is possible to gain information about the server which is hosting DocuShare. 
File: Exploit.html (1955967 bytes)
Start 22:12:46 Sep 30, 02
Finish 4507 msec (result code 200)
Terminate 4517 msec since 1st upload
Depending on the Anti-Virus program in use files sent to the server are not checked for viruses. When using Trend Micro 
with the real-time scan enabled and with updated virus definitions it did not identify any of the viruses or malicious 
HTML code that was sent.
Tested in Version 2.2 Workgroup (Build 180)

Ryan Purita
Network Security Analyst
Totally Connected Ltd.
1308 S.E. Marine Drive,
Vancouver, B.C., V5X 4K4
ryan () totally-connected com
Phone:  604-432-7828
Fax:    604-432-6773

                       ----Notice Regarding Confidentiality of Transmission ----
This message is intended only for the person to which it is addressed and may contain
information that is privileged and confidential.  If you are not the intended recipient, you
are hereby notified that any dissemination or copying of this communication is prohibited.
Please notify us of the error in communication by telephone (604-432-7828) or by return 
e-mail and destroy all copies of this communication. Thank you.

  By Date           By Thread  

Current thread:
  • Xerox DocuShare Internal IP address disclosure Ryan Purita (Oct 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]