|
Full Disclosure
mailing list archives
DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal
From: ddivulnalert <ddivulnalert () ddifrontline com>
Date: Mon, 3 Oct 2011 12:03:51 -0500
Title
-----
DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal
Severity
--------
High
Date Discovered
---------------
August 15, 2011
Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Chris Graham and r () b13$
Vulnerability Description
-------------------------
Metropolis Technologies OfficeWatch enables a web server on TCP port 80 that is susceptible to a directory traversal.
An attacker may send a ../ (dot-dot-slash) sequence to traverse out of the web root and access arbitrary files on the
host.
Solution Description
--------------------
Until a patch is released by the vendor, it is recommended to restrict access to the web server to authorized hosts
only. Access controls can be configured through Windows firewall.
Tested Systems / Software
-------------------------
Metropolis Technologies OfficeWatch for Windows 2000/XP/2003/Vista Version 2011.06.20
Tested on Windows Server 2003 and XP
Vendor Contact
--------------
support2011 () metropolis com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal ddivulnalert (Oct 03)
|
