Home page logo
/

bugtraq logo Bugtraq mailing list archives

DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal
From: ddivulnalert () ddifrontline com
Date: Mon, 3 Oct 2011 17:02:49 GMT

Title
-----
DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal

Severity
--------
High

Date Discovered
---------------
August 15, 2011

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Chris Graham and r () b13$

Vulnerability Description
-------------------------
Metropolis Technologies OfficeWatch enables a web server on TCP port 80 that is susceptible to a directory traversal. 
An attacker may send a ../ (dot-dot-slash) sequence to traverse out of the web root and access arbitrary files on the 
host.

Solution Description
--------------------
Until a patch is released by the vendor, it is recommended to restrict access to the web server to authorized hosts 
only. Access controls can be configured through Windows firewall.

Tested Systems / Software
-------------------------
Metropolis Technologies OfficeWatch for Windows 2000/XP/2003/Vista Version 2011.06.20

Tested on Windows Server 2003 and XP

Vendor Contact
--------------
support2011 () metropolis com


  By Date           By Thread  

Current thread:
  • DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal ddivulnalert (Oct 03)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault