Company

Technical Security Consulting

Managing Risk

Research & Development

Forensics

Security Management

Media Centre

PCI DSS

• Home
• Overview
• R&D Services
• Technology Focus
• Messaging Systems Security
• Embedded Systems Security
• Collaborative Research Projects
• Technical Whitepapers
• Research Briefings
• Publicly Released Tools
• Vendor Alerts - 0days
• Security Advisories
• Advisories
• Advisory 028
• Advisory 027
• Advisory 026
• Advisory 025
• Advisory 024
• Advisory 023
• Advisory 022
• Advisory 021
• Advisory 020
• Advisory 019
• Advisory 018
• Advisory 017
• Advisory 016
• Advisory 015
• Advisory 014
• Advisory 013
• Advisory 012
• Advisory 011
• Advisory 010
• Advisory 009
• Advisory 008
• Advisory 007
• Advisory 006
• Advisory 005
• Advisory 004
• Advisory 003
• Advisory 002
• Advisory 001

Advisory 012

Portfolio Netpublish Server 7 is vulnerable to a Directory Traversal
Attack

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: October 11th 2005
Vendor contacted: October 11th 2005
Advisory published: December 19th 2005
----------------------------------------------------------------------

Abstract:

NetPublish Server from Extensis is a database-driven file cataloging product,
which is accssible via a web interface. The service is vulnerable to a
directory traversal attack, which allows access to files outside the
web root directory.

Description:

During a recent pentration test IRM identified a security issue associated with
the Portfolio Netpublish Server 7 product. Arbitrary files could be retrieved from
the server by using a 'directory traversal' attack within the URL, as shown
below (information relating to our client has been obscured):

http://xxx.xxx.xxx.xxx/netpub/server.np?base&site=XXXintra&catalog=catalog&t
emplate=../../../../../../../../../boot.ini

As a result of supplying the above URL the contents of the file 'boot.ini'
are displayed in the web browser. Furthermore, by default the server runs
with the privilege level of the local SYSTEM account (on Windows) and could
therefore be used to retrieve the contents of any file on the server. The risk
is reduced if the product is run on Unix, as the privilege level used is that
of the 'nobody' account.

Tested Versions:

Netpublish Server 7

Tested Operating Systems:

Microsoft Windows 2000
Linux

Vendor & Patch Information:

Extensis were contacted on October 11th 2005 and although they have not produced
a patch to prevent the directory traversal they have released a KnowledgeBase
article on their web site, which attempts to mitigate the issue. The article is
linked below.

Workarounds:

http://www.extensis.com/en/support/kb_article.jsp?articleNumber=3302201

Credits:

Research & Advisory: A Davis and M Faour

Disclaimer:

All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.