GE MDS PulseNET FileDownloadServlet Directory Traversal Information Disclosure And Deletion Vulnerability

ID ZDI-15-439
Type zdi
Reporter Andrea Micalizzi (rgod)
Modified 2015-11-09T00:00:00


This vulnerability allows remote attackers to read and delete arbitrary files on vulnerable installations of GE MDS PulseNET. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the FileDownloadServlet. By specifying a filename including directory traversal, an attacker can read and then delete an arbitrary file on the system. The read and subsequent deletion will be performed under the context of SYSTEM.