Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NeroNet1202.txt

🗓️ 03 Nov 2005 00:00:00Reported by Luigi AuriemmaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

NeroNET web server with limited directory traversal bug allowing remote exploitation. No fix from vendor

Code
`  
#######################################################################  
  
Luigi Auriemma  
  
Application: NeroNET  
http://www.nero.com  
Versions: <= 1.2.0.2  
Platforms: Windows  
Bug: limited directory traversal  
Exploitation: remote  
Date: 02 Nov 2005  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: http://aluigi.altervista.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bug  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
NeroNET is a web server which allows Nero users to use a CD/DVD burner  
remotely.  
  
  
#######################################################################  
  
======  
2) Bug  
======  
  
  
The program is affected by a classical directory traversal bug which  
can be exploited by anyone since the directories used as base for the  
attack (www and status) are publics and do NOT require authorization.  
Both slash and backslash and the relative HTTP encoded chars are  
allowed.  
The limitation of this bug is that only some file extensions are  
allowed:  
  
nri, nrg, zip, dvi, rtf, ppt, pdf, mpe, mpeg, mpg, mov, qt, vob, avi,  
wav, mp3, bmp, tiff, tif, jpe, jpeg, jpg, gif, log, txt, sdp, css,  
js, html, htm  
  
The check made by NeroNET is only on the beginning of the extension so  
JSP or JSWHATYOUWANT are allowed extensions since JS is in the list.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
http://host/www/..%2f..%5c../..../folder/file.txt  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix.  
No reply from the vendor.  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma   
http://aluigi.altervista.org   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Nov 2005 00:00Current
7.4High risk
Vulners AI Score7.4
neronetdirectory traversalremote exploitationwindowsfile extensionsvulnerability
24