Ecava IntegraXor Project Directory Information Disclosure Vulnerability

ID ZDI-13-277
Type zdi
Reporter Alphazorx aka technically.screwed
Modified 2013-06-22T00:00:00


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ecava IntegraXor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the storing of credentials in cleartext. The issue lies in the ability to bypass file access restrictions. This can be used along with the automatic creation of backup files, which are created whenever changes are made to a project. By abusing this flaw an attacker can disclose credentials and possibly leverage this situation to achieve remote code execution.