CVE-2014-2232 =================== "Absolute Path Traversal" (CWE-36) vulnerability in "infoware MapSuite" Vendor =================== infoware GmbH Product =================== MapSuite Affected versions =================== This vulnerability affects versions of MapSuite MapAPI prior to 1.0.36 and 1.1.49 Fixed versions =================== MapSuite MapAPI 1.0.36 and 1.1.49 Both patches are available since 2014-03-26. Reported by =================== This issue was reported to the vendor by Christian Schneider (@cschneider4711) following a responsible disclosure process. Severity =================== Critical Exploitability =================== No authentication required Description =================== It is possible to traverse the server's filesystem (including listing of directory contents) and read files from the server's filesystem using a specially crafted URL to access the MapAPI. This enables attackers to get hold of sensitive files from the server containing passwords, configuration, source code, etc. Proof of concept =================== Due to the responsible disclosure process chosen and to not harm unpatched systems, no concrete exploit code will be presented in this advisory. Migration =================== MapSuite MapAPI 1.0.x users should upgrade to 1.0.36 or later as soon as possible. MapSuite MapAPI 1.1.x users should upgrade to 1.1.49 or later as soon as possible. See also =================== CVE-2014-2233 as another vulnerability in the same module, which can be exploited as a Server-Side Request Forgery (SSRF) via the same input parameter. Timeline =================== 2014-02-20 Vulnerability discovered 2014-02-20 Vulnerability responsibly reported to vendor 2014-02-21 Reply from vendor acknowledging report 2014-02-26 Reply from vendor with first patch (version 1.0.34 and 1.1.47) meanwhile Testing of the patch by the reporting researcher (Christian Schneider) 2014-03-20 Reported to vendor that first patch could by bypassed meanwhile Conversation about fix strategies between vendor and reporting researcher 2014-03-26 Reply from vendor with updated patch (version 1.0.36 and 1.1.49) meanwhile Verification of the patch by reporting researcher + vendor informed customers 2014-06-01 Advisory published in coordination with vendor via BugTraq References =================== http://www.christian-schneider.net/advisories/CVE-2014-2232.txt