vendor:
USP FOSS Distribution
by:
GolD_M = [Mahmood_ali]
5.5
CVSS
MEDIUM
Remote File Disclosure
CWE
Product Name: USP FOSS Distribution
Affected Version From: 01.01
Affected Version To: 01.01
Patch Exists: NO
Related CWE:
CPE:
Platforms Tested:
2007
USP FOSS Distribution 1.01 Remote File Disclosure
The vulnerability exists in the /user/download.php script of the USP FOSS Distribution 1.01. By manipulating the 'dnld' parameter, an attacker can disclose arbitrary files from the system, such as /etc/passwd.
Mitigation:
The vendor should validate and sanitize user input to prevent directory traversal attacks. Additionally, it is recommended to restrict access to sensitive files on the server.