SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Security)  >  Elron Internet Manager Suite Vendors:  Elron
(Vendor Re-Confirms) Re: Elron Anti-Virus and Elron Message Inspector Give Unauthorized Access to Files to Remote Users
Updated:  Apr 8 2001 00:54 (UTC/GMT)
Original Entry Date:  Apr 8 2001 00:49 (UTC/GMT)
Impact:  Disclosure of system information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Description:  A vulnerability has been reported in Elron's Internet Manager (IM) products that allow remote users to obtain files and directory listings of files outside of the product's root directory.

The problem is reported to exist in IM Message Inspector and IM Anti-Virus. Elron Internet Manager Firewall is reportedly not vulnerable. The author of the source message has not tested the IM Web Inspector.

The vulnerability is with Elron Software s proprietary web server that does not perform proper path checking. For example:

http://[IP Address]/../../../../../../boot.ini will, in most cases, return the specified file.
Impact:  A remote user can gain unauthorized access to files and directories on the server.
Solution:  The vendor re-confirms that the vulnerability has been fixed in MI/AV v3.0.4. The vendor also notes that the IM Web Inspector and IM Firewall products use a different web server implementation and confirms that those products are not vulnerable.
Vendor URL:  www.elronsw.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (NT), Windows (2000)
Reported By:  Justin Fry <jfry@ELRONSW.COM>
Message History:   This archive entry is a follow-up to the message listed below.
Mar 23 2001 Elron Anti-Virus and Elron Message Inspector Give Unauthorized Access to Files to Remote Users


 Message Contents
Date:  Fri, 6 Apr 2001 17:27:56 -0400
From:  Justin Fry <jfry@ELRONSW.COM>
Subject:  http://archives.neohapsis.com/archives/bugtraq/2001-03/0345.html

 

Dear Sirs,

The error reported by Erik in this note is now fixed in MI/AV v3.0.4, as
per my earlier posting.

In addition, The IM Web Inspector and IM Firewall products contain a
different web server implemention
and have been confirmed not to contain this vulnerability.

http://archives.neohapsis.com/archives/bugtraq/2001-03/0345.html

Best regards,

Justin Fry
Director, Worldwide Product Marketing
Elron Software, Inc.
USA Office: +1 781-993-6201
Email: jfry@elronsw.com
http://www.internetmanager.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC