PT-2001-1756 · Screamingmedia · Siteware

Published

2001-07-27

Updated

2017-07-11

CVE-2001-0555

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions: ScreamingMedia SITEWare versions 2.5 through 3.1

Description: The issue allows a remote attacker to read world-readable files via a .. (dot dot) attack. This can be achieved through two methods: (1) the SITEWare Editor's Desktop or (2) the template parameter in the "SWEditServlet" endpoint.

Recommendations: For versions 2.5 through 3.1, consider restricting access to the SWEditServlet endpoint and the SITEWare Editor's Desktop to minimize the risk of exploitation. As a temporary workaround, avoid using the template parameter in the SWEditServlet endpoint until the issue is resolved.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2001-0555

Affected Products

Siteware

PT-2001-1756 · Screamingmedia · Siteware

CVE-2001-0555

Related Identifiers

Affected Products

References · 9