Reporter unauthenticated directory traversal

Back to all Security AdvisoriesSubscribe
Security Advisories ID: 
SA60
Published Date: 
September 6, 2011
Advisory Status: 
Final
Advisory Severity: 
High
CVSS v2 base score: 8.3 (AV:A/AC:L/Au:N/C:C/I:C/A:C)
CVE Number: 
No CVEs are associated with this vulnerability.
Reporter installed on a Windows server is vulnerable to an HTTP directory traversal attack. An unauthenticated user can browse the file system and read any file. Data from these files can be used by an attacker to gain complete control over the Reporter installation
Affected Products: 
Versions 9.1, 9.2, and 9.3 of Reporter installed on a Windows server are vulnerable.
Advisory Details: 

When installed on a Windows server, Reporter does not enforce access control policies for web-based access to files on the local file system.  Reporter running on Linux is not vulnerable to this attack.

An unauthenticated attacker who is able to connect to the Reporter installation is able to read any file.  The attacker cannot modify or delete files via web access.  The attacker can use the information in configuration files to gain complete control of the Reporter installation.

When Reporter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.

If Reporter is deployed outside of the firewall. the CVSS base score would be higher. The CVSS base score for this security advisory would be a 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C).

Workarounds: 
Blue Coat recommends that Reporter be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to Reporter will greatly limit the ability to attack a Reporter installation.
Patches: 

Reporter 9.3:  A fix is available in 9.3.1.2. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/8793.

Reporter 9.2:  A fix is available in 9.2.5.1.  The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4997.  An interim fix is also available in patch release 9.2.4.13.  The interim fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/patch/84188517921183988709862486268327.

Reporter 9.1:  Please upgrade to a later release.

References: 

The vulnerability was discovered and reported to Blue Coat Systems by Alejandro Hernandez (nitr0us) of Chatsubo Labs. Blue Coat Systems appreciates the report.

OWASP description of the directory traversal vulnerability:  www.owasp.org/index.php/Path_Traversal

Advisory History: 

2012-01-17 Notification of maintenance release 9.2.5.1.  Changed status to final.
2011-10-04 Posted patch release availability for 9.2.
2011-09-26 Corrected version of 9.3 that has the fix in it.
2011-09-23 Indicated that 8.x versions of Reporter are not vulnerable.
2011-09-07 Indicated that a fix for 9.2 will be made available.
2011-09-06 Initial public release