[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Meinberg LANTIME Web Configuration Utility - Failure to Restrict URL Access
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] Meinberg LANTIME Web Configuration Utility - Failure to Restrict URL Access
- From: Jakub Palaczynski <jakub.palaczynski@xxxxxxxxx>
- Date: Mon, 11 Dec 2017 17:43:35 +0100
Title: Meinberg LANTIME Web Configuration Utility - Failure to Restrict URL
Access
Author: Jakub Palaczynski
CVE: CVE-2017-16787
Exploit tested on:
==================
Meinberg LANTIME Web Configuration Utility 6.16.008
Vulnerability affects:
======================
All LTOS6 firmware releases before 6.24.004
Vulnerability:
**************
Failure to Restrict URL Access:
===============================
Any user is able to read all files stored outside cgi-bin directory without
authentication. This way it is possible to download firmware, statistics or
diagnostics files that are stored in upload directory.
Contact:
========
Jakub[dot]Palaczynski[at]gmail[dot]com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/