PT-2012-5692 · Novell · Novell File Reporter

Juan Vazquez

Published

2012-11-18

Updated

2012-11-19

CVE-2012-4959

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Novell File Reporter version 1.0.2

Description A directory traversal issue exists, allowing remote attackers to upload and execute files. This is achieved by sending a request with a .. (dot dot) in a FILE element of an FSFUI record, specifically via a "130 /FSF/CMD" request.

Recommendations For Novell File Reporter version 1.0.2, consider restricting access to the NFRAgent.exe to minimize the risk of exploitation until a patch is available. Avoid using the FILE element in FSFUI records with dot dot (..) notation in the affected API endpoint until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2012-4959

Affected Products

Novell File Reporter

PT-2012-5692 · Novell · Novell File Reporter

CVE-2012-4959

Weakness Enumeration

Related Identifiers

Affected Products

References · 6