This vulnerability was submitted to BugTraq on November 5th, 2001 by "rudi carell" <firstname.lastname@example.org>.
Entrust GetAccess 1.0
Entrust GetAccess allows administration of individual user access rights and customer profiles on high-volume 'portal' websites.
The default shellscripts that are bundled with Entrust GetAccess do not sufficiently validate user-supplied input. A remote attacker can make a web request containing '../' sequences, null characters or shell metacharacters to access resources (such as web-readable files) outside of the wwwroot directory on a vulnerable host. The web request must contain certain parameters to be successful.
Sensitive information disclosed in arbitrary web-readable files may facilitate further "intelligent" attacks on the host.
This issue may be exploited with a web browser.
The vendor has patched the vulnerable scripts, and it should be applied by those users who wish to continuing using them. The patch can be found at: