Trend Micro InterScan Web Security Virtual Appliance Multipl
Trend Micro InterScan Web Security Virtual Appliance Multiple Vulnerabilities
Release Date : 2010-06-23
Criticality level : Less critical
Impact : Cross Site Scripting
Exposure of system information
Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch
Software: Trend Micro InterScan Web Security Virtual Appliance 5.x
Some vulnerabilities have been reported in Trend Micro InterScan Web Security Virtual Appliance, which can be exploited by malicious users to disclose potentially sensitive information or compromise a vulnerable system, and by malicious people to conduct cross-site request forgery attacks.
1) The web-based user interface allows user to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. add a web site to the URL blocking list or add new users when a logged-in administrative user visits a specially crafted web site.
2) Input passed via the "exportname" parameter to /servlet/com.trend.iwss.gui.servlet.exportreport is not properly sanitised before being used. This can be exploited to download arbitrary files from the system via directory traversal attacks.
3) Input passed via the "pkg_name" parameter to /servlet/com.trend.iwss.gui.servlet.ConfigBackup is not properly sanitised before being used to download files, which can be exploited to download arbitrary files from the system.
Successful exploitation of vulnerabilities #2 and #3 requires authentication and administrative or reporter privileges.
4) Input passed via the "filename" parameter to /servlet/com.trend.iwss.gui.servlet.XMLRPCcert is not properly sanitised before being used. This can be exploited to upload arbitrary files to arbitrary locations via directory traversal attacks.
Successful exploitation of this vulnerability requires authentication.
Apply Critical Patch Build 1386.
Was this reply helpful? (0) (0)