OCS Inventory NG - Directory Traversal May 30 2009
_______________________________________________________________________________
* Product
Open Computer and Software (OCS) Inventory NG
* Vulnerable Versions
OCS Inventory NG 1.02 (Unix)
* Vendor Status
Vendor has been notified and the vulnerability has been fixed.
* Details
The Open Computer and Software (OCS) Inventory Next Generation (NG) provides
relevant inventory information about system configurations and software on
the network. The server can be managed using a web interface.
It is possible for unauthenticated malicious users to extreact arbitrary
files from the hosting system.
The cause of this vulnerability lies in the lack of secure file access and the
fact that this can be done unauthenticated.
cvs.php:
} elseif (isset($_GET['log'])){
if (file_exists($_GET['rep'].$_GET['log'])){
$tab = file($_GET['rep'].$_GET['log']);
while(list($cle,$val) = each($tab)) {
$toBeWritten .= $val."\r\n";
}
$filename=$_GET['log'];
}
}
* Impact
Attackers may be able to read arbitrary files containing sensitive
information from the hosting system.
* Exploit
The vulnerability can be exploited by just using a web browser:
http://example.org/ocsreports/cvs.php?log=/etc/passwd
_______________________________________________________________________________
Nico Leidecker - http://www.leidecker.info
