Info

Disclosure

Apr 26, 2012

Discovery

Mar 08, 2012

Dates

Exploit

Unknown

Solution

Unknown

Description

ACTi Web Configurator contains a flaw related to the cgi-bin directory, that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../). This directory traversal attack would allow the attacker to read arbitrary files.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Solution: Upgrade
Exploit: Exploit Private
Disclosure: Uncoordinated Disclosure
OSVDB: Web Related

Solution

Upgrade to latest firmware release as of 201204-26 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

ACTi Corporation

ACTi Web Configurator

3.0

References

Packet Storm: http://packetstormsecurity.org/files/112229/ACTi-Web-Configurator-cgi-bin-Directory-Traversal.html
Mail List Post: http://seclists.org/bugtraq/2012/Apr/208
Vendor URL: http://www.acti.com/home/index.asp

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/81569