PT-2015-7035 · Mikael Rogers · Geddy
Phanect
·
Published
2015-09-04
·
Updated
2017-10-24
·
CVE-2015-5688
CVSS v2.0
5.0
Medium
| Vector | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Geddy versions prior to 13.0.8
Description
A directory traversal issue allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH INFO to the default URI. This can be exploited by sending a specially crafted request to the server, potentially allowing access to sensitive files. For example, an attacker could use a URL like "http://localhost:4000/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd" to attempt to read the /etc/passwd file.
Recommendations
Update Geddy to version 13.0.8 or later to resolve the issue.
Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Geddy