eFront "courses_ID" Path Disclosure Weakness
Release Date : 2012-04-27
Criticality level : Not critical
Impact : Exposure of system information
Where : From remote
Solution Status : Unpatched
Software: eFront 3.x
Haunt IT has discovered a weakness in eFront, which can be exploited by malicious people to disclose certain system information.
The weakness is caused due to the application disclosing the full installation path within an error message when accessing a certain invalid "courses_ID" via the lesson information.
The weakness is confirmed in version 3.6.11 build 15059. Other versions may also be affected.
Edit the source code to ensure that no installation path is disclosed.
Provided and/or discovered by: