Reporter unauthenticated directory traversal
When installed on a Windows server, Reporter does not enforce access control policies for web-based access to files on the local file system. Reporter running on Linux is not vulnerable to this attack.
An unauthenticated attacker who is able to connect to the Reporter installation is able to read any file. The attacker cannot modify or delete files via web access. The attacker can use the information in configuration files to gain complete control of the Reporter installation.
When Reporter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.
If Reporter is deployed outside of the firewall. the CVSS base score would be higher. The CVSS base score for this security advisory would be a 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C).
Reporter 9.3: A fix is available in 188.8.131.52. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/8793.
Reporter 9.2: A fix is available in 184.108.40.206. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/4997. An interim fix is also available in patch release 220.127.116.11. The interim fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/patch/84188517921183988709862486268327.
Reporter 9.1: Please upgrade to a later release.
The vulnerability was discovered and reported to Blue Coat Systems by Alejandro Hernandez (nitr0us) of Chatsubo Labs. Blue Coat Systems appreciates the report.
OWASP description of the directory traversal vulnerability: www.owasp.org/index.php/Path_Traversal
2012-01-17 Notification of maintenance release 18.104.22.168. Changed status to final.
2011-10-04 Posted patch release availability for 9.2.
2011-09-26 Corrected version of 9.3 that has the fix in it.
2011-09-23 Indicated that 8.x versions of Reporter are not vulnerable.
2011-09-07 Indicated that a fix for 9.2 will be made available.
2011-09-06 Initial public release