Entrust GetAccess File Disclosure Vulnerability

Entrust GetAccess File Disclosure Vulnerability

Entrust GetAccess allows administration of individual user access rights and customer profiles on high-volume 'portal' websites.

The default shellscripts that are bundled with Entrust GetAccess do not sufficiently validate user-supplied input. A remote attacker can make a web request containing '../' sequences, null characters or shell metacharacters to access resources (such as web-readable files) outside of the wwwroot directory on a vulnerable host. The web request must contain certain parameters to be successful.

Sensitive information disclosed in arbitrary web-readable files may facilitate further "intelligent" attacks on the host.