Title ----- DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal
Severity -------- High Date Discovered --------------- August 15, 2011 Discovered By ------------- Digital Defense, Inc. Vulnerability Research Team Credit: Chris Graham and r@b13$ Vulnerability Description ------------------------- Metropolis Technologies OfficeWatch enables a web server on TCP port 80 that is susceptible to a directory traversal. An attacker may send a ../ (dot-dot-slash) sequence to traverse out of the web root and access arbitrary files on the host. Solution Description -------------------- Until a patch is released by the vendor, it is recommended to restrict access to the web server to authorized hosts only. Access controls can be configured through Windows firewall. Tested Systems / Software ------------------------- Metropolis Technologies OfficeWatch for Windows 2000/XP/2003/Vista Version 2011.06.20 Tested on Windows Server 2003 and XP Vendor Contact -------------- support2...@metropolis.com
