Informix Webdriver Remote Administration Access

vendor:

Webdriver

by:

John Wright

8.3

CVSS

HIGH

Informix Webdriver Remote Administration Access

N/A

CWE

Product Name: Webdriver

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Informix Webdriver Remote Administration Access

Informix Webdriver, the web-to-DB interface used by Informix database products, may permit unauthorized remote access to the system's administration functions. Under very specific circumstances, if webdriver is called directly, without any additional parameters included in the URL submitted to the server, the response will take the form of a remote administration page which can permit a malicious non-local user to modify or delete database information.

Mitigation:

Ensure that webdriver is not called directly without any additional parameters included in the URL submitted to the server.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2166/info

Informix Webdriver, the web-to-DB interface used by Informix database products, may permit unauthorized remote access to the system's administration functions.

Under very specific circumstances, if webdriver is called directly, without any additional parameters included in the URL submitted to the server, the response will take the form of a remote administration page which can permit a malicious non-local user to modify or delete database information.

John Wright <john@dryfish.org> notes that this vulnerability will only be exploitable under a particular misconfiguration, and that by default, the above-described URL will result only in a "404 Asset not found", etc, and not in the display of a remote administration page. 

http://example.com/cgi-bin/webdriver