PT-2013-3286 · Advantech+1 · Advantech Studio+2

Publicado

2013-03-11

Atualizado

2013-03-18

CVE-2013-1627

CVSS v2.0

7.8

Alta

Vetor

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Indusoft Studio versions 7.0 and earlier Advantech Studio versions 7.0 and earlier

Description The issue allows remote attackers to read arbitrary files by providing a full pathname in an argument to the sub 401A90 CreateFileW function, due to an absolute path traversal vulnerability in NTWebServer.exe.

Recommendations For Indusoft Studio versions 7.0 and earlier, consider restricting access to the NTWebServer.exe until a patch is available. For Advantech Studio versions 7.0 and earlier, avoid using the sub 401A90 CreateFileW function with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-22

Identificadores relacionados

CVE-2013-1627

Produtos afetados

Advantech Studio

Indusoft Studio

Ntwebserver.Exe

PT-2013-3286 · Advantech+1 · Advantech Studio+2

CVE-2013-1627

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 3