lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <E1EoikH-00034P-00@keop-l>
Date: Tue, 20 Dec 2005 14:51:19 -0000
From: "Advisories" <advisories@...plc.com>
To: <bugtraq@...urityfocus.com>
Subject: IRM 012: Portfolio Netpublish Server 7 is vulnerable to a Directory Traversal Attack


----------------------------------------------------------------------
IRM Security Advisory No. 012

Portfolio Netpublish Server 7 is vulnerable to a Directory Traversal
Attack

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: October 11th 2005
Vendor contacted: October 11th 2005
Advisory published: December 19th 2005
----------------------------------------------------------------------

Abstract:

NetPublish Server from Extensis is a database-driven file cataloging
product,
which is accssible via a web interface. The service is vulnerable to a 
directory traversal attack, which allows access to files outside the 
web root directory.


Description:

During a recent pentration test IRM identified a security issue associated
with 
the Portfolio Netpublish Server 7 product. Arbitrary files could be
retrieved from 
the server by using a 'directory traversal' attack within the URL, as shown 
below (information relating to our client has been obscured):

http://xxx.xxx.xxx.xxx/netpub/server.np?base&site=XXXintra&catalog=catalog&t
emplate=../../../../../../../../../boot.ini

As a result of supplying the above URL the contents of the file 'boot.ini'
are displayed in the web browser. Furthermore, by default the server runs 
with the privilege level of the local SYSTEM account (on Windows) and could 
therefore be used to retrieve the contents of any file on the server. The
risk
is reduced if the product is run on Unix, as the privilege level used is
that
of the 'nobody' account.


Tested Versions:

Netpublish Server 7 


Tested Operating Systems:

Microsoft Windows 2000
Linux


Vendor & Patch Information:

Extensis were contacted on October 11th 2005 and although they have not
produced
a patch to prevent the directory traversal they have released a
KnowledgeBase
article on their web site, which attempts to mitigate the issue. The article
is
linked below.


Workarounds:

http://www.extensis.com/en/support/kb_article.jsp?articleNumber=3302201


Credits:

Research & Advisory: Andy Davis and Mazin Faour


Disclaimer:

All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at:

http://www.irmplc.com/advisories.htm

----------------------------------------------------------------------

Information Risk Management Plc.
Kings Building,
Smith Square, London,
United Kingdom 
SW1P 3JJ
+44 (0)207 808 6420



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ