[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] The WebConnect 6.4.4 and 6.5 contains several vulnerabilities
- To: "'Full-Disclosure@Lists. Netsys. Com'" <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: [Full-Disclosure] The WebConnect 6.4.4 and 6.5 contains several vulnerabilities
- From: "CIRT Advisory" <advisory@xxxxxxx>
- Date: Sun, 20 Feb 2005 23:08:52 +0100
> The WebConnect 6.4.4 and 6.5 contains several vulnerabilities such as:
> - Denial of Service when requesting an DOS Device in Path Name
> - Reading of files outside webroot (Directory traversal)
>
> Requesting "DOS Device in Path Name" Denial of Service
> When requesting a DOS device in the URL the server will stop responding
> to any further requests before a manual restart of service has been made.
> This attack can be preformed on both the client website and the
> administration interface.
>
> Vulnerable versions:
> - WebConnect 6.4.4 (Possible previous versions)
> - WebConnect 6.5
>
> CERT response:
> - VU#552561 CAN-2004-0466
>
>
> Reading of files outside webroot (Directory traversal)
> When sending a specially crafted request to the server it is possible to
> read files outside the webroot. Since the service as default runs with
> system rights, this could give access to the entire partition that
> WebConnect
> are installed on.
>
> Vulnerable versions:
> - WebConnect 6.4.4 (Possible previous versions)
>
> CERT response:
> - VU#628411 CAN-2004-0465
>
> Read the full advisory for both the vulnerabilities at:
> http://www.cirt.dk/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html