CVE-2004-1223 in Policy Manager
Summary
by MITRE
The Management Agent in F-Secure Policy Manager 5.11.2810 allows remote attackers to gain sensitive information, such as the absolute path for the web server, via an HTTP request to fsmsh.dll without any parameters.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/04/2025
The vulnerability identified as CVE-2004-1223 resides within the F-Secure Policy Manager version 5.11.2810 management agent component, specifically affecting the web server interface that handles requests through the fsmsh.dll module. This flaw represents a classic information disclosure vulnerability that exposes system internals to remote attackers without requiring authentication or specialized privileges. The vulnerability manifests when an attacker sends an HTTP request to the fsmsh.dll endpoint without providing any parameters, which triggers the server to return sensitive information including the absolute path of the web server installation directory. This type of vulnerability falls under the category of CWE-200 Information Disclosure, where system details are inadvertently exposed to unauthorized parties.
The technical exploitation of this vulnerability occurs through a simple HTTP GET request that leverages the management agent's lack of proper input validation and parameter handling. When the fsmsh.dll module receives a request without parameters, it fails to sanitize the input properly and instead responds with internal system information that includes file system paths. This behavior demonstrates a fundamental flaw in the application's security design where the system does not adequately protect sensitive operational details from being exposed through routine web requests. The vulnerability is particularly concerning because it provides attackers with knowledge of the server's file structure, which can serve as a foundation for more sophisticated attacks.
The operational impact of this vulnerability extends beyond simple information disclosure, as the exposed absolute paths can enable attackers to map the server's file system structure and potentially identify other vulnerable components or misconfigurations. An attacker who obtains this information can use it to plan subsequent attacks, such as directory traversal exploits or to identify specific file locations that may contain additional sensitive data or configuration files. The exposure of web server paths also violates the principle of least privilege and information hiding, which are fundamental security concepts that prevent unauthorized access to system internals. This vulnerability aligns with ATT&CK technique T1083 (File and Directory Discovery) as it provides adversaries with systematic access to file system information that would normally be restricted.
Organizations utilizing F-Secure Policy Manager version 5.11.2810 face significant risk from this vulnerability, as it provides a straightforward method for remote attackers to gather intelligence about the system's internal structure. The vulnerability represents a critical security gap that could lead to more severe consequences if combined with other exploits or reconnaissance activities. System administrators should immediately implement mitigations including patching the software to a version that addresses this information disclosure flaw, implementing network-level restrictions to limit access to the management agent interface, and monitoring for suspicious HTTP requests to the fsmsh.dll endpoint. Additionally, security configurations should be reviewed to ensure that the management agent does not expose unnecessary information through its web interface, and that proper input validation is implemented to prevent similar issues in other components of the system. The vulnerability highlights the importance of secure coding practices and proper security testing to prevent such exposure of internal system details to external parties.