The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Alcatel OmniVista 4760: file reading

Synthesis of the vulnerability 

An attacker can use a special HTTP GET query, in order to read the content of files located on the Alcatel OmniVista 4760 Network Management System computer.
Vulnerable systems: OmniVista 4760 Network Management System.
Severity of this threat: 3/4.
Creation date: 01/03/2011.
Références of this weakness: BID-46624, CERTA-2011-AVI-130, CVE-2011-0345, DDIVRT-2010-30, VIGILANCE-VUL-10412, VU-101102-1.

Description of the vulnerability 

The Alcatel OmniVista 4760 NMS (Network Management System) server has a web administration interface.

Several languages are available. The "lang" parameter indicates in which directory translated messages are stored. However, an attacker can use a language like "../..", in order to go up in the path, and to access to a file located outside the web site root.

An attacker can therefore use a special HTTP GET query, in order to read the content of files located on the Alcatel OmniVista 4760 Network Management System computer.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness alert impacts software or systems such as OmniVista 4760 Network Management System.

Our Vigil@nce team determined that the severity of this computer vulnerability note is important.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this security bulletin.

Solutions for this threat 

Alcatel OmniVista 4760: patch.
A patch is available:
OmniVista 4760 R5.0.07.05:
  patch 4760_Patch2_For_R500705c.zip
  Enterprise Business Portal (TECHNICAL COMMUNICATION TC1428)
OmniVista 4760 R5.1.06.03:
  patch 4760_Patch4_For_R510603c_Patch3.zip
  Enterprise Business Portal (TECHNICAL COMMUNICATION TC1427)
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an applications vulnerabilities watch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.