The default permissions for the IBM Sametime database STLOG.NSF allows anonymous / unauthenticated users to access potentially sensitive information.
Vulnerability Type: Information disclosure
The information bellow is from TN 1613895
| CVE ID: CVE-2012-3331 DESCRIPTION: By default, anonymous / unauthenticated users can access the Sametime Log database (STLOG.NSF). This database provides a variety of potentially sensitive information including canonical usernames, and client IP addresses. For example, from the page http://1.2.3.4/stlog.nsf, select the link Community Server Login and Logout Events by User. Steps to Reproduce Vulnerability: http://1.2.3.4/stlog.nsf Note that access to the server where the Sametime servers are running should be possible only from within the organization. In addition these servers should not be made HTTP accessible to any machine in the organization. |
