Title: H-Sphere Arbitrary File Disclosure Vulnerability
Severity: MODERATE
Description:
H-Sphere provides automation for web hosting across multiple servers. It is a commercial product that will run on Linux, FreeBSD and Microsoft Windows 2000. It supports both Apache and IIS webservers.
H-Sphere does not filter '../' sequences from some requests, which has the potential to cause disclosure of sensitive information. A malicious user may construct a specially crafted web request which will allow them to break out of wwwroot and browse the filesystem at large. This is accomplished by using '../' character sequences as a value for the "template_name" variable.
For example:
http://www.target.com/some-path/psoft.hsphere.CP/some-path/?template_name=../../../../../../../../../../../../etc/passwd
http://www.target.com/shiva/psoft.hsphere.CP/admin/2628_0/?template_name=../../../../../../../../../../../../etc/passwd
Arbitrary web-readable files may be displayed by the attacker using this attack.
To successfully exploit this issue, the malicious user must have access to an account for a hosted website.
Affected Products:
- Positive Software H-Sphere 1.5.0
- Positive Software H-Sphere 2.0.0
- Positive Software H-Sphere 2.0.05
References:
- Positive Software: Positive Software Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
