CVE-2014-10079

An unauthenticated attacker simply requests the front page of the Vembu StoreGrid web interface (typically on port 6061). Due to incorrect handling of the index.php/ trailing slash, the server's private IP address is embedded in the HTML source code inside a hidden form field named "ipaddress" around line 80 [ref_id=1][ref_id=2]. No authentication or special payload is required; the disclosure occurs on every normal page load.

The vulnerability is in the front page of the Vembu StoreGrid web interface (version 4.4.0). The hidden form field "ipaddress" around line 80 of the HTML source leaks the private IP address due to incorrect processing of an index.php/ trailing slash [ref_id=1][ref_id=2]. No specific source file or function is named in the advisory.

No patch is included in the bundle. The advisory does not specify a fix, but the remediation would involve removing the private IP address from the hidden form field or ensuring the server does not leak internal addressing information in the HTML response. The vulnerability is present in Vembu StoreGrid version 4.4.0 [ref_id=1][ref_id=2].

1. Navigate to the Vembu StoreGrid web interface (e.g., https://target:6061/). 2. View the HTML source code of the front page. 3. Around line 80, locate the hidden form field named "ipaddress" which contains the server's private IP address [ref_id=1][ref_id=2].