| VID |
22458 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The BitDefender Update Server is vulnerable to a directory traversal vulnerability. BitDefender Update Server is used for centralized updates of BitDefender products including Security for Fileservers and Enterprise Manager (BDEM) on a local network. BitDefender Update Server version 2.5.0.0 and possibly other versions could allow a remote attacker to traverse directories on the system. If the BitDefender HTTP Server is used for update publication, by sending a specially-crafted URL request to the BitDefender HTTP Server (http.exe) containing "dot dot" sequences (/../), an attacker could traverse directories and read arbitrary files on the affected system.
* References:
http://kb.bitdefender.com/KB421-en--Release-patch-for-Enterprise-Manager.html
http://www.securityfocus.com/archive/1/486701/30/0/threaded
http://oliver.greyhat.de/2008/01/19/bitdefender-unauthorized-remote-file-access-vulnerability/
http://www.frsirt.com/english/advisories/2008/0213
http://secunia.com/advisories/28578
* Platforms Affected:
SOFTWIN, BitDefender Update Server version 2.5.0.0 and possibly other versions
Microsoft Windows Any version |
| Recommendation |
Apply the appropriate patch, as listed in vendor security advisory at http://kb.bitdefender.com/KB421-en--Release-patch-for-Enterprise-Manager.html |
| Related URL |
CVE-2008-0396 (CVE) |
| Related URL |
27358 (SecurityFocus) |
| Related URL |
39802 (ISS) |
|
