- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
VSAOD Server Unauthenticated Arbitrary File Overwrites
------------------------------------------------------------------------
SUMMARY
A vulnerability in the VSAOD Server allows unauthenticated remote
attackers to overwrite arbitrary files with the privileges of the SYSTEM
user.
DETAILS
Vulnerable Systems:
* Visionsoft Audit version 12.4.0.0
It is possible to set the log file name on the remote VSAOD server using
the following unauthenticated exchange:
client> LOG.<filename>
server> Logfile set to: <filename>
Impact:
Since the VSAOD server typically runs as SYSTEM it is possible to
overwrite any file on the system. This can be used by an attacker to
write additional ASP into web pages, commands to a batch file or to
corrupt files on the system.
Vendor status:
e-mailed - 16th January 2007
e-mailed - 26th February 2007
e-mailed - 15th March 2007
ADDITIONAL INFORMATION
The information has been provided by
<mailto:advisories@portcullis-security.com> Tim Brown - Portcullis
Computer Security Ltd..
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment