http://xforce.iss.net/xforce/xfdb/10860Instant ASP (iASP) "dot dot" directory traversal
iasp-dotdot-directory-traversal (10860) Medium Risk
Description:
Instant ASP (iASP) is a framework for deploying Active Server Pages (ASP), developed by Stryon. iASP versions 1.0.9 and earlier could allow a remote attacker to traverse directories on the Web server, caused by a vulnerability in the Remote Console Applet running on port 9095.
A remote attacker could send a specially-crafted URL containing "dot dot" sequences (../) to traverse directories and view any file on the system.Platforms Affected:
Linux: Linux Any version
Microsoft Corporation: Windows Any version
Styron: Instant ASP (iASP) 1.0.9 and earlier
Various: Unix Any version
Remedy:
No remedy available as of December 2002.
Consequences:
Obtain Information
References:
BugTraq Mailing List, Thu Dec 12 2002 - 18:35:29 CST , Advisory Title: iASP Remote Console Applet Allows Remote at
http://archives.neohapsis.com/archives/bugtraq/2002-12/0126.html. iASP Web site, Stryon - Systems, Migration, Products, and Service at
http://www.stryon.com/products.asp?s=1. Standards associated with this entry:
BID-6394: Halcyon Software iASP File Disclosure Vulnerability
Reported:
Dec 12, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2004 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email
[email protected]Halcyon internet security vulnerability:
http://www.securityfocus.com/bid/6394Halcyon Software iASP File Disclosure Vulnerability
bugtraq id 6394
object
class Input Validation Error
cve CVE-MAP-NOMATCH
remote Yes
local No
published Dec 13, 2002
updated Dec 13, 2002
vulnerable Halycon Software iASP 1.0.9
http://www.securityfocus.com/archive/1/303281Please see attached advisory.
_____________________________________________________________________
Fate Research Laboratories
Security Advisory
---------------------------------------------------------------------
Advisory Title: Remote Console Applet Allows Remote
File Retrieval
Package: Instant ASP (iASP)
Vendor: Halcyon Software
Vendor Web Site:
http://www.stryon.comVersions: <= (v1.0.9) (Latest: Unknown)
Advisory ID: F820021202:IASP
Issue Date: Tue 3 21:24:12 IST 2002
File(s): Remote Console Applet Running on Port 9095
Local: No
Remote: Yes
Vendor Contacted: Yes (8/12/2002)
Vulnerability Class: Access validation
Researcher: Alan "ph33r" Neville <ph33r fatelabs com>
Fate Web Site:
http://www.fatelabs.com---------------------------------------------------------------------
Copyright (C) 1997-2002 Fate Research Laboratories.
_____________________________________________________________________