Vigil@nce - Trend Micro InterScan Web Security: file reading via AdminUI
November 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can read files via the administration Web application
of Trend Micro InterScan Web Security, in order to obtain
sensitive information.
Impacted products: InterScan Web Security Suite
Severity: 2/4
Creation date: 07/11/2014
DESCRIPTION OF THE VULNERABILITY
The Trend Micro InterScan Web Security product provides an
administration Web application.
However, an authenticated user can insert file paths into some
fields of the man machine interface, in order to get the content
of any file readable by the Web server. Technical details are
unknown.
An attacker can therefore read files via the administration Web
application of Trend Micro InterScan Web Security, in order to
obtain sensitive information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Trend-Micro-InterScan-Web-Security-file-reading-via-AdminUI-15610