|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[VulnWatch] Re: NetObserve Security Bypass Vulnerability
From: Peter Winter-Smith (peter4020
hotmail.com)
Date: Tue Dec 30 2003 - 18:52:31 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: NetObserve Security Bypass Vulnerability
############################################
Credit:
Author : Peter Winter-Smith
Software:
Packages : NetObserve
Version : 2.0 and prior
Vendor : ExploreAnywhere Software
Vendor Url : http://www.exploreanywhere.com/no-intro.php
Vulnerability:
Bug Type : Security Bypass
Severity : Highly Critical
+ Remote System Command Via NetObserve
UPDATE:
I may have been a little unclear in my description of the
exploitability of this flaw. It seems that I interchanged the words
'administrator' and 'remote user' giving the impression that only a
current'user' of the administration panel can compromise the system
through these flaws. In actual fact it is possible to compromise a system
running NetObserve without being any kind of authenticated user or
administrator!
I thought I should mention this because it has been labelled as only
exploitable by current users of the NetObserve system, which is
technically incorrect - anyone can exploit it :-)
The complete document on this flaw can be found at:
http://www.elitehaven.net/netobserve.txt
Thanks to you all for the tireless effort and research work which you
put into the security community!
-Peter Winter-Smith
_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection
http://www.msn.co.uk/specials/btbroadband
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]