SA60 : Reporter unauthenticated directory traversal

1231

03 March 2020

06 September 2011

CLOSED

HIGH

CVSS v2: 8.3

SUMMARY

Reporter installed on a Windows server is vulnerable to an HTTP directory traversal attack. An unauthenticated user can browse the file system and read any file. Data from these files can be used by an attacker to gain complete control over the Reporter installation.

AFFECTED PRODUCTS

Versions 9.1, 9.2, and 9.3 of Reporter installed on a Windows server are vulnerable.

Patches

  • Reporter 9.3:  A fix is available in 9.3.1.2.
  • Reporter 9.2:  A fix is available in 9.2.5.1. 
  • An interim fix is also available in patch release 9.2.4.13.
  • Reporter 9.1:  Please upgrade to a later release.

ISSUES

When installed on a Windows server, Reporter does not enforce access control policies for web-based access to files on the local file system.  Reporter running on Linux is not vulnerable to this attack.

An unauthenticated attacker who is able to connect to the Reporter installation is able to read any file.  The attacker cannot modify or delete files via web access.  The attacker can use the information in configuration files to gain complete control of the Reporter installation.

When Reporter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.

If Reporter is deployed outside of the firewall. the CVSS base score would be higher. The CVSS base score for this security advisory would be a 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C).

MITIGATION

Blue Coat recommends that Reporter be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to Reporter will greatly limit the ability to attack a Reporter installation.

ACKNOWLEDGEMENTS

The vulnerability was discovered and reported to Blue Coat Systems by Alejandro Hernandez (nitr0us) of Chatsubo Labs. Blue Coat Systems appreciates the report.

REFERENCES

OWASP description of the directory traversal vulnerability:  https://www.owasp.org/index.php/Path_Traversal

REVISION

2012-01-17 Notification of maintenance release 9.2.5.1.  Changed status to final.
2011-10-04 Posted patch release availability for 9.2.
2011-09-26 Corrected version of 9.3 that has the fix in it.
2011-09-23 Indicated that 8.x versions of Reporter are not vulnerable.
2011-09-07 Indicated that a fix for 9.2 will be made available.
2011-09-06 Initial public release