| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7796947a0706011021s1f58dc5fjdfc9f35aa6d460ed@mail.gmail.com>
Date: Fri, 1 Jun 2007 13:21:02 -0400
From: guiness.stout <guinness.stout@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: APC PowerChute Network Shutdown 2.21 is
vulnerable to directory transversal
Synopsis: APC PowerChute Network Shutdown 2.21 is vulnerable to directory
transversal
Background: APC PowerChute Network Shutdown is used to perform graceful
shutdowns of network servers from one main server.
Affected Versions: <= 2.21 build 116
Description: APC PowerChute Network Shutdown is vulnerable to a directory
transversal by appending special characters such as %5c and %2e to the end
of a URL. This is due to an existing vulnerability in Acme.Serve which is a
Java HTTP server which PowerChute Network Shutdown is built on.
Vendor Notified April 9th 2007
Vendor Response April 10th 2007 "A fix is being worked on for the next
release."
April 25th 2007 Spoke to vendor again, no ETA.
May 3rd 2007 No ETA.
June 1st 2007 No ETA.
Reference: CVE-2001-0748
http://xforce.iss.net/xforce/xfdb/6634
http://www.securityfocus.com/bid/2809
http://www.apc.com/products/family/index.cfm?id=127
http://www.acme.com/java/software/Acme.Serve.Serve.html
Chris Castaldo
"An ounce of prevention is worth a pound of cure."
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists