J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Accipiter DirectServer Remote File Disclosure Vulnerability

Severity: HIGH

Description:

The DirectServer is a web server implementation that is packaged and distributed by Accipiter with the AdManager Server software.

This vulnerability may allow and attacker to gain access to files that reside outside of the web root directory using a specially crafted URI. The source of the issue is that the server does not sufficiently block requests for resources using certain variations of directory traversal sequences. It has been demonstrated that URL-encoded variations of these sequences may be used to request a resource that resides outside of the web server root directory.

Exploit will permit remote attackers to request files on the system that are readable by the web server, potentially exposing sensitive information.

This issue has been reported to affect Windows variants of the software. It is not known if other versions are also affected.

Affected Products:

  • Accipiter DirectServer 6.0.0

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.