Full Disclosure mailing list archives
APC PowerChute Network Shutdown 2.21 is vulnerable to directory transversal
From: guiness.stout <guinness.stout () gmail com>
Date: Fri, 1 Jun 2007 13:21:02 -0400
Synopsis: APC PowerChute Network Shutdown 2.21 is vulnerable to directory transversal Background: APC PowerChute Network Shutdown is used to perform graceful shutdowns of network servers from one main server. Affected Versions: <= 2.21 build 116 Description: APC PowerChute Network Shutdown is vulnerable to a directory transversal by appending special characters such as %5c and %2e to the end of a URL. This is due to an existing vulnerability in Acme.Serve which is a Java HTTP server which PowerChute Network Shutdown is built on. Vendor Notified April 9th 2007 Vendor Response April 10th 2007 "A fix is being worked on for the next release." April 25th 2007 Spoke to vendor again, no ETA. May 3rd 2007 No ETA. June 1st 2007 No ETA. Reference: CVE-2001-0748 http://xforce.iss.net/xforce/xfdb/6634 http://www.securityfocus.com/bid/2809 http://www.apc.com/products/family/index.cfm?id=127 http://www.acme.com/java/software/Acme.Serve.Serve.html Chris Castaldo "An ounce of prevention is worth a pound of cure."
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- APC PowerChute Network Shutdown 2.21 is vulnerable to directory transversal guiness . stout (Jun 01)