Metropolis Technologies OfficeWatch enables a web server on TCP port 80 that is susceptible to a directory traversal. An attacker may send a ../ (dot-dot-slash) sequence to traverse out of the web root and access arbitrary files on the host.
4aba0388d8f62c4675129cd9356d9b16ec2a4a24eaf06d3eacdd7b61b4eeec3bTitle
-----
DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal
Severity
--------
High
Date Discovered
---------------
August 15, 2011
Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Chris Graham and r@b13$
Vulnerability Description
-------------------------
Metropolis Technologies OfficeWatch enables a web server on TCP port 80 that is susceptible to a directory traversal. An attacker may send a ../ (dot-dot-slash) sequence to traverse out of the web root and access arbitrary files on the host.
Solution Description
--------------------
Until a patch is released by the vendor, it is recommended to restrict access to the web server to authorized hosts only. Access controls can be configured through Windows firewall.
Tested Systems / Software
-------------------------
Metropolis Technologies OfficeWatch for Windows 2000/XP/2003/Vista Version 2011.06.20
Tested on Windows Server 2003 and XP
Vendor Contact
--------------
support2011@metropolis.com
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed