TippingPoint Zero Day Initiative

TippingPoint SMS Server Authentication Bypass Vulnerability

ZDI-06-013: May 9th, 2006


Affected Vendors

Affected Products

    TippingPoint SMS

Vulnerability Details

This vulnerability may allow attackers to access sensitive information from vulnerable TippingPoint SMS servers.

The specific flaw exists within the web management interface. Due to insufficient protections on specific directories, an attacker with access to the web interface may be able to view benign data such as the user manual. In the event that the device was being used for backup purposes, it may be possible for an attacker to identify additional information such as configuration settings.

Vendor Response

3Com TippingPoint states:

This issue has been addressed in TippingPoint SMS Server release version Customers can obtain the update through the SMS device or by visiting http://tmc.tippingpoint.com

Disclosure Timeline

    2006-01-19 - Vulnerability reported to vendor
    2006-05-09 - Coordinated public release of advisory


This vulnerability was discovered by:
    Micheal Cottingham