Vigil@nce - Nessus Web UI: information disclosure via server/properties
August 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can access to /server/properties of Nessus Web UI, in
order to obtain sensitive information.
Impacted products: Nessus
Severity: 2/4
Creation date: 21/07/2014
DESCRIPTION OF THE VULNERABILITY
The Nessus Web UI product offers a web service.
The /server/properties page displays information. However, the
access to some information does not require authentication: Plugin
Set, Server uuid, Web Server Version, Nessus UI Version, Nessus
Type, Notifications, MSP, Capabilities, Multi Scanner, Multi User,
Tags, Reset Password, Report Diff, Report Email Config, Report
Email, PCI Upload, Plugin Rules, Plugin Set, Idle Timeout, Scanner
Boot time, Server Version, Feed, Status.
An attacker can therefore access to /server/properties of Nessus
Web UI, in order to obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Nessus-Web-UI-information-disclosure-via-server-properties-15080