CVE-2014-2232 - "Absolute Path Traversal" (CWE-36) vulnerability in "infoware MapSuite"

2014-06-14T00:00:00
ID SECURITYVULNS:DOC:30845
Type securityvulns
Reporter Securityvulns
Modified 2014-06-14T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

CVE-2014-2232

"Absolute Path Traversal" (CWE-36) vulnerability in "infoware MapSuite"

Vendor

infoware GmbH

Product

MapSuite

Affected versions

This vulnerability affects versions of MapSuite MapAPI prior to 1.0.36 and 1.1.49

Fixed versions

MapSuite MapAPI 1.0.36 and 1.1.49 Both patches are available since 2014-03-26.

Reported by

This issue was reported to the vendor by Christian Schneider (@cschneider4711) following a responsible disclosure process.

Severity

Critical

Exploitability

No authentication required

Description

It is possible to traverse the server's filesystem (including listing of directory contents) and read files from the server's filesystem using a specially crafted URL to access the MapAPI. This enables attackers to get hold of sensitive files from the server containing passwords, configuration, source code, etc.

Proof of concept

Due to the responsible disclosure process chosen and to not harm unpatched systems, no concrete exploit code will be presented in this advisory.

Migration

MapSuite MapAPI 1.0.x users should upgrade to 1.0.36 or later as soon as possible. MapSuite MapAPI 1.1.x users should upgrade to 1.1.49 or later as soon as possible.

See also

CVE-2014-2233 as another vulnerability in the same module, which can be exploited as a Server-Side Request Forgery (SSRF) via the same input parameter.

Timeline

2014-02-20 Vulnerability discovered 2014-02-20 Vulnerability responsibly reported to vendor 2014-02-21 Reply from vendor acknowledging report 2014-02-26 Reply from vendor with first patch (version 1.0.34 and 1.1.47) meanwhile Testing of the patch by the reporting researcher (Christian Schneider) 2014-03-20 Reported to vendor that first patch could by bypassed meanwhile Conversation about fix strategies between vendor and reporting researcher 2014-03-26 Reply from vendor with updated patch (version 1.0.36 and 1.1.49) meanwhile Verification of the patch by reporting researcher + vendor informed customers 2014-06-01 Advisory published in coordination with vendor via BugTraq

References

http://www.christian-schneider.net/advisories/CVE-2014-2232.txt

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAlOLV7gACgkQXYAsOfddvFPjfQCgmcCuON9Ny7IbKQl4bmNFM5UP 4o4Anjrmi/9k+5W4tEyopZnRFqfqF2kX =UDUk -----END PGP SIGNATURE-----