| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Dec 2005 14:51:19 -0000 From: "Advisories" <advisories@...plc.com> To: <bugtraq@...urityfocus.com> Subject: IRM 012: Portfolio Netpublish Server 7 is vulnerable to a Directory Traversal Attack ---------------------------------------------------------------------- IRM Security Advisory No. 012 Portfolio Netpublish Server 7 is vulnerable to a Directory Traversal Attack Vulnerablity Type / Importance: Information Leakage / High Problem discovered: October 11th 2005 Vendor contacted: October 11th 2005 Advisory published: December 19th 2005 ---------------------------------------------------------------------- Abstract: NetPublish Server from Extensis is a database-driven file cataloging product, which is accssible via a web interface. The service is vulnerable to a directory traversal attack, which allows access to files outside the web root directory. Description: During a recent pentration test IRM identified a security issue associated with the Portfolio Netpublish Server 7 product. Arbitrary files could be retrieved from the server by using a 'directory traversal' attack within the URL, as shown below (information relating to our client has been obscured): http://xxx.xxx.xxx.xxx/netpub/server.np?base&site=XXXintra&catalog=catalog&t emplate=../../../../../../../../../boot.ini As a result of supplying the above URL the contents of the file 'boot.ini' are displayed in the web browser. Furthermore, by default the server runs with the privilege level of the local SYSTEM account (on Windows) and could therefore be used to retrieve the contents of any file on the server. The risk is reduced if the product is run on Unix, as the privilege level used is that of the 'nobody' account. Tested Versions: Netpublish Server 7 Tested Operating Systems: Microsoft Windows 2000 Linux Vendor & Patch Information: Extensis were contacted on October 11th 2005 and although they have not produced a patch to prevent the directory traversal they have released a KnowledgeBase article on their web site, which attempts to mitigate the issue. The article is linked below. Workarounds: http://www.extensis.com/en/support/kb_article.jsp?articleNumber=3302201 Credits: Research & Advisory: Andy Davis and Mazin Faour Disclaimer: All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information. A copy of this advisory may be found at: http://www.irmplc.com/advisories.htm ---------------------------------------------------------------------- Information Risk Management Plc. Kings Building, Smith Square, London, United Kingdom SW1P 3JJ +44 (0)207 808 6420
Powered by blists - more mailing lists