CA eTrust Security Command Center contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker sends a single quote to the 'PIProfile' of the 'ePPIServlet' script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Currently, there are no known workarounds or upgrades to correct this issue. However, CA has released a patch to address this vulnerability.

• CVE ID: 2006-4899 (see also: NVD)
• Secunia Advisory ID: 22023 22073
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-09/0357.html
  http://archives.neohapsis.com/archives/fulldisclosure/2006-09/0387.html
• Other Advisory URL: http://www.aushack.com/200608-computerassociates.txt
  http://www.osisecurity.com.au/advisories/computer-associates-etrust-security-command-center-multiple-vulnerabilities
• Vendor URL: http://www.ca.com/
• Vendor Specific Advisory URL: http://www3.ca.com/securityadvisor/blogs/posting.aspx?id=90744&pid=93243&date=2006/9 [ Link is 404 ]

• Patrick Webster - OSI Security