Sybex E-Trainer Directory Traversal Vulnerability

["ZeroBreak" <ZeroBreak () softhome net>]

Author: ZeroBreak (zerobreak () softhome net)
Published: 02.05.02
Released: 02.08.02
Software: Sybex E-Trainer


Prelude:

Sybex E-Trainer's are computer based training courses. They run through
a
web interface using your web browser.   When you launch the course, it
loads
it's own web server and launch's your default web browser that connects
to
you locally on the default http server port, 80. When you close your
browser the web server also shut's down.

Vulnerability:

The vulnerability that takes place is the infamous ".." directory
traversal. With a specially crafted request to the web server you can
view
any file on the target's computer under the logged in users permissions.
The request is in the format of:

http://target/netget?sid=user&msg=300&file=/../../../filename.ext

The web server is only running when a user runs the e-trainer course.
When
the user closes the browser the web server also shuts down. However if
the
user opens the e-trainer and uses the same browser window to start
browsing
other websites, the web server will stay open. This could cause the
vulnerable server to be running for an even longer period of time. It
should also be noted that this web server has not logging features and
it
is open to any connection requests. Not just from the local host.

Exploit:

You got a web browser don't you?

Fix:

I shot an email to Sybex on the 5th, but haven’t gotten a response
back. Although my email provider has been having trouble lately.

Conclusion:

This is not a huge vulnerability, but it depends how you look at it. It
can
easily take an otherwise secured system and leave it wide open for
intruders. Leaking sensitive or potentially confidential information.