You are viewing an obsolete version of the DU website which is no longer supported by the Administrators. Visit The New DU.
Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

Reply #52: Stryon: Date: Dec 13 2002 [View All]

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » Topic Forums » Election Reform Donate to DU
Magic_Cookie Donating Member (131 posts) Send PM | Profile | Ignore Thu Nov-18-04 09:35 PM
Response to Reply #8
52. Stryon: Date: Dec 13 2002
http://securitytracker.com/alerts/2002/Dec/1005809.html

Stryon Instant ASP (iASP) Input Validation Flaw Discloses Files on the System to Remote Users

SecurityTracker Alert ID: 1005809
CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)
Date: Dec 13 2002

Impact: Disclosure of system information, Disclosure of user information

Exploit Included: Yes

Version(s): 1.0.9 and prior versions

Description: A file disclosure vulnerability was reported in Stryon's Instant ASP (iASP) in the Remote Console Applet. A remote user can view arbitrary files on the system.

Fate Research Laboratories reported that a remote user can connect to the applet on port 9095 and supply a URL containing '../' directory traversal characters to obtain files on the system.

A demonstration exploit URL is provided:

http://<hostname>:9095/../../../../../../etc/passwd
The vendor has reportedly been notified.
Impact: A remote user can obtain files from the target user's server while the applet is running.
Solution: No solution was available at the time of this entry.
Vendor URL: www.stryon.com/products.asp?s=1 (Links to External Site)
Cause: Access control error, Input validation error
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
Reported By: "ph33r" <ph33r@fatelabs.com>

Printer Friendly | Permalink |  | Top
 

Home » Discuss » Topic Forums » Election Reform Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators


Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC