Trend Micro Control Manager importFile directory traversal

2017-09-25T00:00:00
ID SAINT:132167EB4CD187F39AA4C159D7128B2F
Type saint
Reporter SAINT Corporation
Modified 2017-09-25T00:00:00

Description

Added: 09/25/2017
BID: 96131

Background

Trend Micro Control Manager streamlines administration of Trend Micro security solutions.

Problem

A directory traversal vulnerability in the **importFile.php** script allows remote attackers to upload files containing arbitrary PHP script under the document root. The uploaded files can then be executed by sending an HTTP GET request.

Resolution

Upgrade to Control Manager version 6.0 build 3506 or higher.

References

<https://success.trendmicro.com/solution/1116624>
<http://www.zerodayinitiative.com/advisories/ZDI-17-060/>