SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Your Ad Here
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Fujitsu Web-Based Admin View Vendors:  Fujitsu
Fujitsu Web-Based Admin View Input Validation Flaw Lets Remote Users Traverse the Directory
SecurityTracker Alert ID:  1020726
SecurityTracker URL:  http://securitytracker.com/id?1020726
CVE Reference:  CVE-2008-3776   (Links to External Site)
Updated:  Aug 28 2008
Original Entry Date:  Aug 21 2008
Impact:  Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 2.1.2; possibly other versions
Description:  A vulnerability was reported in Fujitsu Web-Based Admin View. A remote user can view files on the target system.

The software does not properly validate user-supplied input. A remote user can supply a specially crafted request to view files on target system that are located outside of the document directory.

A demonstration exploit request is provided:

GET /.././.././.././.././.././.././.././.././.././ etc/passwd HTTP/1.0
Host: [target]:8081

Deniz Cevik of www.intellectpro.com.tr reported this vulnerability.
Impact:  A remote user can view files on the target system.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.fujitsu.com/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  Other systems may be affected
Reported By:  "Deniz Cevik" <Deniz.Cevik@intellect.com.tr>
Message History:   None.

 Source Message Contents
Date:  Thu, 21 Aug 2008 16:34:00 +0300
From:  "Deniz Cevik" <Deniz.Cevik@intellect.com.tr>
Subject:  [Full-disclosure] Fujitsu Web-Based Admin View Directory Traversal


 
This is a multi-part message in MIME format.

--===============2116010867==
Content-class: urn:content-classes:message
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C90392.91F2864E"

This is a multi-part message in MIME format.

------_=_NextPart_001_01C90392.91F2864E
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Fujitsu Web-Based Admin View Directory Traversal Vulnerability

=20

Version: 2.1.2 on Solaris, Other versions may vulnerable

=20

Vulnerability: Directory Traversal

=20

Risk: Critical

=20

Description:  Due to insufficient control of user inputs, Fujitsu
Web-based admin view reveals content of files residing in folders other
than webroot. This will allow an attacker to view arbitrary local files
within the context of the web server.=20

=20

Sample Request:

=20

GET /.././.././.././.././.././.././.././.././.././etc/passwd HTTP/1.0

Host: target:8081

=20

Deniz CEVIK

www.intellectpro.com.tr

=20


------_=_NextPart_001_01C90392.91F2864E
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:x=3D"urn:schemas-microsoft-com:office:excel" =
xmlns:p=3D"urn:schemas-microsoft-com:office:powerpoint" =
xmlns:a=3D"urn:schemas-microsoft-com:office:access" =
xmlns:dt=3D"uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" =
xmlns:s=3D"uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" =
xmlns:rs=3D"urn:schemas-microsoft-com:rowset" xmlns:z=3D"#RowsetSchema" =
xmlns:b=3D"urn:schemas-microsoft-com:office:publisher" =
xmlns:ss=3D"urn:schemas-microsoft-com:office:spreadsheet" =
xmlns:c=3D"urn:schemas-microsoft-com:office:component:spreadsheet" =
xmlns:odc=3D"urn:schemas-microsoft-com:office:odc" =
xmlns:oa=3D"urn:schemas-microsoft-com:office:activation" =
xmlns:html=3D"http://www.w3.org/TR/REC-html40" =
xmlns:q=3D"http://schemas.xmlsoap.org/soap/envelope/" xmlns:D=3D"DAV:" =
xmlns:x2=3D"http://schemas.microsoft.com/office/excel/2003/xml" =
xmlns:ois=3D"http://schemas.microsoft.com/sharepoint/soap/ois/" =
xmlns:dir=3D"http://schemas.microsoft.com/sharepoint/soap/directory/" =
xmlns:ds=3D"http://www.w3.org/2000/09/xmldsig#" =
xmlns:dsp=3D"http://schemas.microsoft.com/sharepoint/dsp" =
xmlns:udc=3D"http://schemas.microsoft.com/data/udc" =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
xmlns:sub=3D"http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/"=
 xmlns:ec=3D"http://www.w3.org/2001/04/xmlenc#" =
xmlns:sp=3D"http://schemas.microsoft.com/sharepoint/" =
xmlns:sps=3D"http://schemas.microsoft.com/sharepoint/soap/" =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
xmlns:udcxf=3D"http://schemas.microsoft.com/data/udc/xmlfile" =
xmlns:st=3D"&#1;" xmlns=3D"http://www.w3.org/TR/REC-html40"
xmlns:ns0=3D"http://schemas.microsoft.com/office/2004/12/omml">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--p.MSOBODYTEXT
	{mso-style-priority:99;}
li.MSOBODYTEXT
	{mso-style-priority:99;}
div.MSOBODYTEXT
	{mso-style-priority:99;}
a:link
	{mso-style-priority:99;}
span.MSOHYPERLINK
	{mso-style-priority:99;}
a:visited
	{mso-style-priority:99;}
span.MSOHYPERLINKFOLLOWED
	{mso-style-priority:99;}
span.BODYTEXTCHAR
	{mso-style-priority:99;}

 /* Font Definitions */
 @font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Calibri;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
p.MsoBodyText, li.MsoBodyText, div.MsoBodyText
	{margin:0in;
	margin-bottom:.0001pt;
	text-align:justify;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.bodytextchar
	{font-family:Calibri;}
span.EmailStyle19
	{mso-style-type:personal;
	font-family:Arial;
	color:windowtext;}
span.charchar
	{font-family:"Courier New";
	color:black;}
span.EmailStyle21
	{mso-style-type:personal;
	font-family:Calibri;
	color:#1F497D;}
span.EmailStyle22
	{mso-style-type:personal;
	font-family:Arial;
	color:navy;}
span.EmailStyle23
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Fujitsu =
Web-Based
Admin View Directory Traversal =
Vulnerability<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Version: =
2.1.2 on
Solaris, Other versions may vulnerable<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Vulnerability:=

Directory Traversal<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Risk: =
Critical<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Description: =
&nbsp;Due
to insufficient control of user inputs, Fujitsu Web-based admin view =
reveals
content of files residing in folders other than webroot. This will allow =
an
attacker to view arbitrary local files within the context of the web =
server. <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Sample =
Request:<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>GET
/.././.././.././.././.././.././.././.././.././etc/passwd =
HTTP/1.0<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Host: =
target:8081<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'><o:p>&nbsp;</o=
:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>Deniz =
CEVIK<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dblack face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:black'>www.intellectp=
ro.com.tr<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span =
style=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p>&nbsp;</o:p></span></font><
/p>

</div>

</body>

</html>

------_=_NextPart_001_01C90392.91F2864E--


--===============2116010867==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============2116010867==--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC