lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 13 Jul 2015 21:31:44 +0100
From: Pedro Ribeiro <>
To: bugtraq <>, 
	"" <>
Subject: [FD] [CVE-2015-2862/2863 / CERT VU#919604] Kaseya VSA arbitrary
 file download / open redirect

Two vulns in Kaseya Virtual System Administrator - an authenticated
arbitrary file download and two lame open redirects.

Full advisory text below and at [1]. Thanks to CERT for helping me to
disclose these vulnerabilities [2].

>> Multiple vulnerabilities in Kaseya Virtual System Administrator
>> Discovered by Pedro Ribeiro (, Agile Information Security (
Disclosure: 13/07/2015 / Last updated: 13/07/2015

>> Background on the affected product:
"Kaseya VSA is an integrated IT Systems Management platform that can
be leveraged seamlessly across IT disciplines to streamline and
automate your IT services. Kaseya VSA integrates key management
capabilities into a single platform. Kaseya VSA makes your IT staff
more productive, your services more reliable, your systems more
secure, and your value easier to show."

>> Technical details:
Vulnerability: Arbitary file download (authenticated)
Affected versions: unknown, at least v9

GET /vsaPres/web20/core/Downloader.ashx?displayName=whatever&filepath=../../boot.ini

A valid login is needed, and the Referrer header must be included. A
sample request can be obtained by downloading any file attached to any
ticket, and then modifying it with the appropriate path traversal.
This will download the C:\boot.ini file when Kaseya is installed in
the default C:\Kaseya directory. The file download root is the
WebPages directory (<Kaseya_Install_Dir>\WebPages\).

Vulnerability: Open redirect (unauthenticated)
Affected versions: unknown, at least v7 to XXX


GET /vsaPres/Web20/core/LocalProxy.ashx?url=
(host header has to be spoofed to the target)

>> Fix:
R9.1: install patch
R9.0: install patch
R8.0: install patch
V7.0: install patch

Agile Information Security Limited
>> Enabling secure digital business >>


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists