CVE-2005-1930
CVSS5.0
发布时间 :2005-12-14 15:07:00
修订时间 :2011-03-07 21:23:06
NMCOPS    

[原文]Directory traversal vulnerability in the Crystal Report component (rptserver.asp) in Trend Micro ServerProtect Management Console 5.58, as used in Control Manager 2.5 and 3.0 and Damage Cleanup Server 1.1, and possibly earlier versions, allows remote attackers to read arbitrary files via the IMAGE parameter.


[CNNVD]Trend Micro ServerProtect RPTServer.ASP 目录遍历漏洞(CNNVD-200512-248)

        Trend Micro ServerProtect Management Console 5.58 中的Crystal Report component (rptserver.asp)用于Control Manager 2.5 和3.0以及Damage Cleanup Server 1.1时,也可能用于更早版本中时存在目录遍历漏洞,远程攻击者可通过IMAGE参数读取任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1930
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1930
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-248
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2005/2907
(UNKNOWN)  VUPEN  ADV-2005-2907
http://www.idefense.com/application/poi/display?id=352&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20051214 Trend Micro ServerProtect Crystal Reports ReportServer File Disclosure
http://www.securityfocus.com/bid/15867
(UNKNOWN)  BID  15867
http://www.osvdb.org/21770
(UNKNOWN)  OSVDB  21770
http://securitytracker.com/id?1015358
(UNKNOWN)  SECTRACK  1015358
http://securityreason.com/securityalert/258
(UNKNOWN)  SREASON  258
http://secunia.com/advisories/18038
(UNKNOWN)  SECUNIA  18038

- 漏洞信息

Trend Micro ServerProtect RPTServer.ASP 目录遍历漏洞
中危 路径遍历
2005-12-14 00:00:00 2005-12-14 00:00:00
远程  
        Trend Micro ServerProtect Management Console 5.58 中的Crystal Report component (rptserver.asp)用于Control Manager 2.5 和3.0以及Damage Cleanup Server 1.1时,也可能用于更早版本中时存在目录遍历漏洞,远程攻击者可通过IMAGE参数读取任意文件。

- 公告与补丁

        

- 漏洞信息 (F42308)

iDEFENSE Security Advisory 2005-12-14.2 (PacketStormID:F42308)
2005-12-15 00:00:00
iDefense Labs  idefense.com
advisory,remote,arbitrary,asp
CVE-2005-1930
[点击下载]

iDEFENSE Security Advisory 12.14.05 - Remote exploitation of an input validation vulnerability in Trend Micro Inc.'s ServerProtect Management Console allows remote attackers to view the contents of arbitrary files on the underlying system. The problem specifically exists within the handling of the IMAGE parameter in the script rptserver.asp.

Trend Micro ServerProtect Crystal Reports ReportServer File Disclosure

iDefense Security Advisory 12.14.05
www.idefense.com/application/poi/display?id=352&type=vulnerabilities
December 14, 2005

I. BACKGROUND

Trend Micro Inc.'s ServerProtect provides antivirus scanning with
centralized management of virus outbreaks, scanning, patter file
updates, notifications and remote installations. More information about
the product set is available at:

 www.trendmicro.com/en/products/file-server/sp/evaluate/overview.htm

II. DESCRIPTION

Remote exploitation of an input validation vulnerability in Trend Micro
Inc.'s ServerProtect Management Console allows remote attackers to view
the contents of arbitrary files on the underlying system.

The problem specifically exists within the handling of the IMAGE
parameter in the script rptserver.asp. The vulnerable area of code is
outlined in the following snippet:

 Set session("oEMF") = Server.CreateObject("CREmfgen.CREmfgen.2")
 Call ParseQS()
 if IMAGE <> "" then
  Call session("oEMF").StreamImage(IMAGE, DEL)
  Response.End
 end if

An attacker can utilize directory traversal modifiers to traverse
outside the system temporary directory and access any file on the same
volume.

III. ANALYSIS

Successful exploitation of the described vulnerability allows remote
attackers to view the contents of arbitrary files on the underlying
system. Exploitation does not require credentials thereby exacerbating
the impact of this vulnerability.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in Trend
Micro ServerProtect for Windows Management Console 5.58 running with
Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup
Server 1.1. It is suspected that earlier versions and versions for other
platforms are vulnerable as well.

V. WORKAROUND

Employ firewalls, access control lists or other TCP/UDP restriction
mechanism to limit access to the vulnerable system on the configured
port, generally TCP port 80.

VI. VENDOR RESPONSE

"Trend Micro has become aware of a vulnerability related to Crystal
Report, a reporting component found in Trend Micro Control Manager (v2.5
and v3.0). Under certain conditions, arbitrary files on the
ReportServer volume inside Trend Micro Control Manager software could be
viewed or accessed remotely. Trend Micro is currently consulting with
Crystal Report regarding permanent solutions to this reporting
component. A temporary workaround solution can be recommended through
contacting Trend Micro customer and technical support."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-1930 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

06/03/2005 Initial vendor notification
06/06/2005 Initial vendor response
12/14/2005 Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.iDefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.iDefense.com

X. LEGAL NOTICES

Copyright     

- 漏洞信息

21770
Trend Micro ServerProtect Crystal Report rptserver.asp Traversal Arbitrary File Access
Remote / Network Access Input Manipulation
Loss of Confidentiality
Exploit Unknown Vendor Verified

- 漏洞描述

ServerProtect contains a flaw that allows a remote attacker to display the contents of files outside of the web path via the Crystal Reports ActiveX object. The issue is due to the rptserver.asp script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the 'IMAGE' variable.

- 时间线

2005-12-14 2005-06-03
Unknow 2005-07-11

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Trend Micro ServerProtect RPTServer.ASP Directory Traversal Vulnerability
Input Validation Error 15867
Yes No
2005-12-14 12:00:00 2005-12-14 12:00:00
This discoverer of this vulnerability wishes to remain anonymous. This issue was disclosed in the referenced iDEFENSE advisory.

- 受影响的程序版本

Trend Micro ServerProtect for Windows 5.58

- 漏洞讨论

ServerProtect is prone to a directory traversal vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this issue to retrieve arbitrary files in the context of the affected application. Information obtained may aid in further attacks against the underlying system; other attacks are also possible.

This issue has been confirmed in Trend Micro ServerProtect for Windows Management Console 5.58 running with Trend Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup Server 1.1. Earlier versions and versions for other platforms may also be vulnerable.

- 漏洞利用

No exploit is required.

- 解决方案

Users are advised to contact Trend Micro customer and technical support for details on a temporary workaround for this issue.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站