|
|
|
|
| |
NetPublish Server from "Extensis is a database-driven file cataloging product, which is accessible via a web interface".
The NetPublish Server web interface is vulnerable to a directory traversal attack, which allows access to files that resiude outside the web root directory. |
| |
Credit:
The information has been provided by IRMPLC Advisories.
|
| |
Vulnerable Systems:
* Netpublish Server 7
Arbitrary files could be retrieved from the server by using a 'directory traversal' attack within the URL, as shown below:
http://xxx.xxx.xxx.xxx/netpub/server.np?base& site=XXXintra&catalog=catalog&template=../../../../../../../../../boot.ini
As a result of supplying the above URL the contents of the file 'boot.ini' are displayed in the web browser. Furthermore, by default the server runs with the privilege level of the local SYSTEM account (on Windows) and could therefore be used to retrieve the contents of any file on the server. The risk is reduced if the product is run on Unix, as the privilege level used is that of the 'nobody' account.
Vendor Status:
Extensis were contacted on October 11th 2005 and although they have not produced a patch to prevent the directory traversal they have released a KnowledgeBase article on their web site, which attempts to mitigate the issue. For more information see:
http://www.extensis.com/en/support/kb_article.jsp?articleNumber=3302201
|
|
|
|
|
|
|
|
|
|
