Trend Micro Threat Intelligence Manager sampleReporting.php 'fakename' Parameter File Disclosure

high Nessus Plugin ID 84917

Synopsis

An application running on the remote Windows host is affected by a file disclosure vulnerability.

Description

The version of Trend Micro Threat Intelligence Manager running on the remote Windows host is affected by a file disclosure vulnerability due to a failure to properly sanitize user-supplied input to the 'fakename' parameter in the sampleReporting.php script. A remote, unauthenticated attacker, using a crafted request, can exploit this to view arbitrary files.

Note that the application is reportedly affected by a local file disclosure vulnerability and a remote code execution vulnerability;
however, Nessus has not tested for these issues.

Solution

Apply Threat Intelligence Manager 1.0 Patch 5 or later.

See Also

https://blogs.securiteam.com/index.php/archives/2502

https://success.trendmicro.com/solution/1103000

Plugin Details

Severity: High

ID: 84917

File Name: trendmicro_tim_fakename_file_disclosure.nasl

Version: 1.5

Type: remote

Family: CGI abuses

Published: 7/22/2015

Updated: 1/19/2021

Supported Sensors: Nessus

Vulnerability Information

CPE: x-cpe:/a:trend_micro:threat_intelligence_manager

Required KB Items: installed_sw/Trend Micro Threat Intelligence Manager

Exploit Ease: No exploit is required

Patch Publication Date: 4/10/2014

Vulnerability Publication Date: 7/13/2015

Reference Information

CVE: CVE-2014-2204