VM Turbo Operations Manager version 4.5.x suffers from a directory traversal vulnerability.
6867fe8f56ce9106aae72c2e15cb5ae941497b017368ba4f683eb31f8d8d2f21Product: VM Turbo Operations Manager
Vendor: VM Turbo
Vulnerable Version(s): 4.5.x earlier
Tested Version: 4.0
Advisory Publication: April 11, 2014
Vendor Notification: April 11, 2014
Public Disclosure: May 8, 2014
Vulnerability Type: Directory Traversal
Discovered and Provided: (Jamal Pecou) Security Focus ( https://www.securityfocus.com/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
A vulnerability affecting “/cgi-bin/help/doIt.cgi" in VM Turbo Operations Manager allows directory traversal when the URL encoded POST input “xml_path” was set to “../../../../../../../../../../etc/passwd” we could see the contents of this file.
The following exploitation example displays the contents of /etc/passwd
https://[host]/cgi-bin/help/doIt.cgi?FUNC=load_xml_file&xml_path=../../../../../../../../../../etc/passwd
------------------------------------------------------------------------
-----------------------
Solution:
The vendor has released a fix for this vulnerability in version 4.6.
References:
[1] https://support.vmturbo.com/hc/en-us/articles/203170127-VMTurbo-Operations-Manager-v4-6-Announcement
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed