[15001] in bugtraq
MetaProducts Offline Explorer Directory Traversal Vulnerability
daemon@ATHENA.MIT.EDU (Servio Medina)
Tue May 23 14:23:29 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <E3A5BCF79162D211A4190008C7A49E0D84A4DA@idsrv10.ipartnership.com>
Date: Mon, 22 May 2000 17:13:03 -0400
Reply-To: Servio Medina <SMedina@IDEFENSE.COM>
From: Servio Medina <SMedina@IDEFENSE.COM>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
Received word from MetaProducts regarding the recently posted vulnerability
in MetaProducts Offline Explorer (Bugtraq ID 1231).
According to the vendor:
[begin vendor]
The download directory is accessible via the internal Web server. It is the
only accessible area. However, in versions 1.0 - 1.2 if a URL
http://127.0.0.1:800/./../../ is entered, it is possible to get to a
directory outside the download directory. This problem was fixed in OE 1.3
Beta 1 version, and therefore in all later versions as well. You can no
longer access any areas outside the download directory.
The best workaround, of course, would be to download our latest version.
(v1.3 or greater.)
Best regards,
| Robert J. Atwell Jr.
| MetaProducts Corporation
| Robert.Atwell@metaproducts.com
| www.metaproducts.com
[end vendor]
Cheers,
Servio F. Medina
---
Information Security Analyst
www.idefense.com
