[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE-2013-5216 CapaSystems Performance Guard Path Traversal Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CVE-2013-5216 CapaSystems Performance Guard Path Traversal Vulnerability
From: kerem.kocaer@xxxxxxxxx
Date: Thu, 29 Aug 2013 13:30:01 GMT

Application    Performance Guard
Vendor         CapaSystems
Link           http://www.capasystems.com/it-performance-monitorin

Discovered by  Kerem Kocaer <kerem.kocaer(at)gmail(dot)com>

Problem
-------
Path traversal vulnerability in the "download logs" section allows remote 
attackers to read 
arbitrary files by intercepting and modifying the file path in an HTTP request 
to "uploadreader.jsp".

The vulnerability is confirmed to exist in version 6.1.27. Other versions may 
also be vulnerable.

Exploit
-------
This issue can be exploited with a web browser and a proxy tool to intercept 
and modify parameters 
sent to: http://[address]/logreader/uploadreader.jsp

Fix
---
The vendor has reported fixing the problem in version 6.2.102.
Bug Fix PG-8050 (http://capawiki.capasystems.com/display/pgdoc/PG+6.2.102)


Timeline
--------
2013-05-16      Provided details to CapaSystems
2013-06-07      Performance Guard version 6.2.102 released (with Bug fix 
PG-8050)


Reference
---------
CVE Number: CVE-2013-5216

Prev by Date: CyberArk User Enumeration - Multiple vulnerabilities
Next by Date: [SECURITY] [DSA 2746-1] icedove security update
Previous by thread: CyberArk User Enumeration - Multiple vulnerabilities
Next by thread: [SECURITY] [DSA 2746-1] icedove security update
Index(es):
- Date
- Thread