Xerox Document Centre Directory Traversal

2003-12-22T04:48:20
ID OSVDB:3133
Type osvdb
Reporter OSVDB
Modified 2003-12-22T04:48:20

Description

Vulnerability Description

Xerox Document Centre contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker conducts a directory traversal attack. This can disclose directory listings and the content of arbitrary files resulting in a loss of confidentiality.

Short Description

Xerox Document Centre contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker conducts a directory traversal attack. This can disclose directory listings and the content of arbitrary files resulting in a loss of confidentiality.

Manual Testing Notes

Example of arbitrary file viewing: http://[target]////../../data/config/microsrv.cfg http://[target]////////../../../../../../etc/passwd

Attackers may also access the following management page, which discloses user passwords and allows adding of new users: http://[target]/srvadmin/usersecure.dhtml

References:

Secunia Advisory ID:10473 Other Advisory URL: http://www.security-corporation.com/articles-20031220-000.html Other Advisory URL: http://www.securitytracker.com/alerts/2003/Dec/1008523.html