vCAP Traversal Arbitrary File Access

2006-09-11T14:48:54
ID OSVDB:28808
Type osvdb
Reporter Securma Massine(securma@morx.org)
Modified 2006-09-11T14:48:54

Description

Vulnerability Description

vCAP contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the vCAP program not properly sanitizing user input, specifically directory traversal style attacks (../../).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

vCAP contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the vCAP program not properly sanitizing user input, specifically directory traversal style attacks (../../).

Manual Testing Notes

http://[target]:6100/../Data/vCAP.db

References:

Vendor URL: http://www.pscs.co.uk/ Secunia Advisory ID:21862 Related OSVDB ID: 28810 Related OSVDB ID: 28807 Related OSVDB ID: 28809 Other Advisory URL: http://www.morx.org/vcap.txt Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-09/0187.html ISS X-Force ID: 28873 FrSIRT Advisory: ADV-2006-3569 CVE-2006-5034 Bugtraq ID: 19958