PT-2013-3286 · Advantech+1 · Advantech Studio+2

Published

2013-03-11

Updated

2013-03-18

CVE-2013-1627

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Indusoft Studio versions 7.0 and earlier Advantech Studio versions 7.0 and earlier

Description The issue allows remote attackers to read arbitrary files by providing a full pathname in an argument to the sub 401A90 CreateFileW function, due to an absolute path traversal vulnerability in NTWebServer.exe.

Recommendations For Indusoft Studio versions 7.0 and earlier, consider restricting access to the NTWebServer.exe until a patch is available. For Advantech Studio versions 7.0 and earlier, avoid using the sub 401A90 CreateFileW function with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2013-1627

Affected Products

Advantech Studio

Indusoft Studio

Ntwebserver.Exe

PT-2013-3286 · Advantech+1 · Advantech Studio+2

CVE-2013-1627

Weakness Enumeration

Related Identifiers

Affected Products

References · 3