Security Advisories

September 6, 2011 - Reporter unauthenticated directory traversal

Security Advisories ID:    SA60
Version:    6.0
Status:    Published
Published date:    09/06/2011
Updated:    01/17/2012
 

Advisory Status

Final

Advisory Severity

High, CVSS v2 base score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)

CVE Number

No CVEs are associated with this vulnerability.

Summary

Reporter installed on a Windows server is vulnerable to an HTTP directory traversal attack.  An unauthenticated user can browse the file system and read any file.  Data from these files can be used by an attacker to gain complete control over the Reporter installation.

Affected Products

Versions 9.1, 9.2, and 9.3 of Reporter installed on a Windows server are vulnerable.

Details

When installed on a Windows server, Reporter does not enforce access control policies for web-based access to files on the local file system.  Reporter running on Linux is not vulnerable to this attack. 

An unauthenticated attacker who is able to connect to the Reporter installation is able to read any file.  The attacker cannot modify or delete files via web access.  The attacker can use the information in configuration files to gain complete control of the Reporter installation.

When Reporter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.

If Reporter is deployed outside of the firewall. the CVSS base score would be higher. The CVSS base score for this security advisory would be a 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C).

Workarounds

Blue Coat recommends that Reporter be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to Reporter will greatly limit the ability to attack a Reporter installation.

Patches

Reporter 9.3:  A fix is available in 9.3.1.2. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/8793.

Reporter 9.2:  A fix is available in 9.2.5.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4997.  An interim fix is also available in patch release 9.2.4.13.  The interim fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/patch/84188517921183988709862486268327.

Reporter 9.1:  Please upgrade to a later release.

References

The vulnerability was discovered and reported to Blue Coat Systems by Alejandro Hernandez (nitr0us) of Chatsubo Labs. Blue Coat Systems appreciates the report.

OWASP description of the directory traversal vulnerability:  www.owasp.org/index.php/Path_Traversal

Advisory History

2012-01-17 Notification of maintenance release 9.2.5.1.  Changed status to final.

2011-10-04 Posted patch release availability for 9.2.

2011-09-26 Corrected version of 9.3 that has the fix in it.

2011-09-23 Indicated that 8.x versions of Reporter are not vulnerable.

2011-09-07 Indicated that a fix for 9.2 will be made available.

2011-09-06 Initial public release


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question