Home page logo
/

bugtraq logo Bugtraq mailing list archives

NetSaro Enterprise Messenger Server Administration Console Source Code Disclosure
From: robkraus () soutionary com
Date: Mon, 22 Aug 2011 16:47:07 GMT

Vulnerability title: NetSaro Enterprise Messenger Server Administration Console Null Byte Request Source Code Disclosure

CVSS Risk Rating: 5 (Medium)

Product: NetSaro Enterprise Messenger Server

Application Vendor: SEM Software

Vendor URL: http://www.netsaro.com/

Public disclosure date: 8/22/2011

Discovered by: Rob Kraus and Solutionary Engineering Research Team (SERT)

Solutionary ID: SERT-VDN-1012

Solutionary public disclosure URL: 
http://www.solutionary.com/index/SERT/Vuln-Disclosures/NetSaro-Enterprise-Messenger-Source-Code.html

Vulnerability Description: A vulnerability exists in the NetSaro Enterprise Messenger Server Administration Console 
allowing a remote attacker to obtain unauthenticated access to the applications source code. Attackers may make HTTP 
GET requests and append a Null Byte to allow download of the source code for the applications web pages. An attacker 
does not need to authenticate to obtain access to source code for pages that usually require authentication prior to 
viewing. More information about this class of vulnerability can be obtained by visiting: 
http://cwe.mitre.org/data/definitions/158.html - Improper Neutralization of Null Byte of NUL Character – CWE 158

Affected software versions: NetSaro Enterprise Messenger Server v2.0 (previous versions may also be vulnerable)

Impact: Attackers may be able to obtain access to the source code of the application and use information found in the 
source code to conduct further attacks against the application.

Fixed in: None Available

Remediation guidelines: Limit access to the application and apply security patches as they become available. 


  By Date           By Thread  

Current thread:
  • NetSaro Enterprise Messenger Server Administration Console Source Code Disclosure robkraus (Aug 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]