CVE-2013-4093

Name of the Vulnerable Software and Affected Versions Imperva SecureSphere version 9.0.0.5

Description The issue allows remote attackers to obtain sensitive information. This can be achieved through a direct request to "dwr/call/plaincall/AsyncOperationsContainer.getOperationState.dwr", which reveals the installation path in the s0.filePath field. Alternatively, a T/keyManagement request to "plain/settings.html" can reveal a temporary path in an error message.

Recommendations For Imperva SecureSphere version 9.0.0.5, consider restricting access to the "dwr/call/plaincall/AsyncOperationsContainer.getOperationState.dwr" and "plain/settings.html" endpoints to minimize the risk of exploitation. Additionally, as a temporary workaround, consider disabling the AsyncOperationsContainer.getOperationState function until a patch is available.