Hobbit Monitor < 4.1.2p2 config Command Traversal Arbitrary File Access

medium Nessus Network Monitor Plugin ID 3699

Synopsis

The remote host is vulnerable to a Directory Traversal flaw.

Description

The remote host is running Hobbit Monitor, a web-based host/network monitoring software. This version of Hobbit Monitor is prone to a flaw where remote attackers can use the 'config' command to access confidential files. To exploit this issue, the attacker would connect to the Hobbit application (typically on port 1984) and send a 'config ../../../../../<filename>' request. Successful exploitation would result in the attacker gaining access to confidential data.

Solution

Upgrade to version 4.1.2p2 or higher.

See Also

http://hobbitmon.sourceforge.net

Plugin Details

Severity: Medium

ID: 3699

Family: CGI

Published: 8/3/2006

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:U/RC:C

Vulnerability Information

CPE: cpe:/a:hobbit_monitor:hobbit_monitor

Reference Information

CVE: CVE-2006-4003

BID: 19317