Sentinel Protection Server Directory Traversal

Title

-----

Sentinel Protection Server Directory Traversal

Severity

--------

High

Date Discovered

---------------

October 10th, 2007

Discovered By

-------------

Digital Defense, Inc. Vulnerability Research Team

Credit: Corey Lebleu

Vulnerability Description

-------------------------

A classic directory traversal condition exists within the Sentinel Protection Server. By sending in an HTTP GET request with a path of a file proceeded by and escaped traversal sequence, an attacker can leverage an arbitrary file access condition on the affected system.

Solution Description

--------------------

Digital Defense, Inc. initially notified SafeNet on October 12, 2007 and received confirmation from the notification on October 30, 2007.  SafeNet informed DDI that it would be releasing a patch for this flaw on November 16, 2007.  At this time, DDI does not have a resolution number for the SafeNet patch for this flaw.

Tested Systems / Software (with versions)

-----------------------------------------

Sentinel Protection Server 7.1

Other versions may be vulnerable to this flaw.

Vendor Contact

--------------

SafeNet

http://www.safenet-inc.com/