Bugtraq mailing list archives
[SNS Advisory No.40] TrendMicro OfficeScan Corp Edition ver.3.54 Remote read file of IUSER authority Vulnerability
From: snsadv () lac co jp
Date: Fri, 24 Aug 2001 18:55:39 +0900
---------------------------------------------------------------------- SNS Advisory No.40 TrendMicro OfficeScan Corp Edition ver.3.54 Remote read file of IUSER authority Vulnerability Problem first discovered: 21 Aug 2001 Published: Fri, 24 Aug 2001 ---------------------------------------------------------------------- Overview -------- Trend Micro OfficeScan Corp Edition ver.3.54 contains a vulnerability which allows attackers to read arbitrary files with IUSER privilege. Problem Description ------------------- Trend Micro OfficeScan Corp Edition is an antivirus software for enterprise use. It provides central virus reporting, automatic virus pattern updates, and Web-based remote management console. A vulnerability lies in cgiWebupdate.exe, which is one of cgi programs and is used for remote management. This problem can allow remote users to read arbitrary files with IUSER privilege. Tested Version -------------- Trend Micro OfficeScan Corp Edition Version 3.54 Tested OS --------- Windows 2000 Server Patch Information ----------------- The same vulnerability exists in the Japanese version.There is a Japanese version of a patch for this vulnerability , which can be applied to any other version.The patch is available from the following site: http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionId=3086 Discovered by: -------------- Nobuo Miwa (LAC / n-miwa () lac co jp) Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co., Ltd. is not responsible for any risks of occurrences caused by applying those information. References ---------- Archive of this advisory(in preparation now): http://www.lac.co.jp/security/english/snsadv_e/40_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory <snsadv () lac co jp> Computer Security Laboratory, LAC http://www.lac.co.jp/security/
Current thread:
- [SNS Advisory No.40] TrendMicro OfficeScan Corp Edition ver.3.54 Remote read file of IUSER authority Vulnerability snsadv (Aug 24)