[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] The WebConnect 6.4.4 and 6.5 contains several vulnerabilities



> The WebConnect 6.4.4 and 6.5 contains several vulnerabilities such as: 
>  - Denial of Service when requesting an DOS Device in Path Name 
>  - Reading of files outside webroot (Directory traversal)
> 
> Requesting "DOS Device in Path Name" Denial of Service
> When requesting a DOS device in the URL the server will stop responding 
> to any further requests before a manual restart of service has been made. 
> This attack can be preformed on both the client website and the 
> administration interface. 
> 
> Vulnerable versions: 
>  - WebConnect 6.4.4 (Possible previous versions) 
>  - WebConnect 6.5 
>  
> CERT response: 
>  - VU#552561 CAN-2004-0466 
> 
>  
> Reading of files outside webroot (Directory traversal) 
> When sending a specially crafted request to the server it is possible to 
> read files outside the webroot. Since the service as default runs with 
> system rights, this could give access to the entire partition that
> WebConnect 
> are installed on. 
> 
> Vulnerable versions:
>  - WebConnect 6.4.4 (Possible previous versions) 
> 
> CERT response: 
>  - VU#628411 CAN-2004-0465
>  
> Read the full advisory for both the vulnerabilities at:
> http://www.cirt.dk/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html