CVE-2008-6707 Information

Description

The Web management interface in Avaya SIP Enablement Services (SES) 3.x and 4.0 as used with Avaya Communication Manager 3.1.x does not perform authentication for certain functionality which allows remote attackers to obtain sensitive information and access restricted functionality via (1) the certificate installation utility (2) unspecified scripts in the objects folder (3) an \unnecessary default application\ (4) unspecified scripts in the states folder (5) an unspecified \default application\ that lists server configuration and (6) \full system help.\

Reference

http://osvdb.org/46598 http://osvdb.org/46599 http://osvdb.org/46600 http://secunia.com/advisories/30751 http://support.avaya.com/elmodocs2/security/ASA-2008-268.htm http://www.securityfocus.com/bid/29939 http://www.voipshield.com/research-details.php?id=86 http://www.voipshield.com/research-details.php?id=87 http://www.voipshield.com/research-details.php?id=88 http://www.voipshield.com/research-details.php?id=89 http://www.voipshield.com/research-details.php?id=90 http://www.voipshield.com/research-details.php?id=91 http://www.vupen.com/english/advisories/2008/1943/references https://exchange.xforce.ibmcloud.com/vulnerabilities/43381 https://exchange.xforce.ibmcloud.com/vulnerabilities/43384 https://exchange.xforce.ibmcloud.com/vulnerabilities/43389 https://exchange.xforce.ibmcloud.com/vulnerabilities/43393 https://exchange.xforce.ibmcloud.com/vulnerabilities/43394 https://exchange.xforce.ibmcloud.com/vulnerabilities/43395