Detections
Analytics

ExtremeZ-IP File and Print Server Zidget/HTTP Server Traversal Arbitrary File Access

medium Nessus Plugin ID 30253

Language:

Synopsis

The remote web server is affected by a directory traversal vulnerability.

Description

The remote host is running ExtremeZ-IP, a file- and print-server for Windows.

The version of ExtremeZ-IP includes a web server, which provides access to the Zidget widget and master list and is affected by a limited directory traversal vulnerability. By leveraging this issue, an unauthenticated, remote attacker can retrieve files on the same drive as the application and of type '.gif', '.png', '.jpg', '.xml', '.ico', '.zip', or '.html'

Note that there are also reportedly two denial of service vulnerabilities associated with this version of ExtremeZ-IP, although Nessus has not checked for them.

Solution

Upgrade to ExtremeZ-IP 5.1.3x03 or later.

See Also

http://aluigi.altervista.org/adv/ezipirla-adv.txt

http://www.grouplogic.com/files/ez/hot/hotFix51.cfm

Plugin Details

Severity: Medium

ID: 30253

File Name: extremez_ip_zidget_dir_traversal.nasl

Version: 1.19

Type: remote

Family: CGI abuses

Published: 2/12/2008

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Information

Exploit Ease: No exploit is required

Exploited by Nessus: true

Reference Information

CVE: CVE-2008-0758

BID: 27718

CWE: 22

SECUNIA: 28862