Security Advisory 06 – 046 – The VSAOD server discloses its version
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability during an application assessment.
Further research was then carried out post assessment.
Credit for Discovery:
Tim Brown – Portcullis Computer Security Ltd.
All known versions of Audit, this vulnerability was discovered for version 22.214.171.124.
On connecting to the remote VSAOD server, the version is disclosed:
server> Visionsoft Audit on Demand Service server> Version: 126.96.36.199
In addition the version number can also be obtained as follows:
client> VER server> 188.8.131.52
An attacker could make use of the version information to identify vulnerable versions of the VSAOD server.
Exploit code is not required.
e-mailed – 16th January 2007
e-mailed – 26th February 2007
e-mailed – 15th March 2007