Vulnerability Note VU#243243
Entrust GetAccess does not validate user input thereby allowing users to read arbitrary files
Entrust GetAccess does not properly validate the CGI variable "LOCALE" and may be exploited to read arbitrary files on the server.
Entrust GetAccess is a web software product for identifying users of a web site. Entrust GetAccess takes a CGI variable named "LOCALE" specifying a server directory in which to find international localization files. Entrust GetAccess does not adequately validate the LOCALE value to remove '../' and other character sequences allowing directory traversal.
A remote attacker can read any file on the server to which the web server process has read privileges.
Apply a patch
For more information, login to:
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Entrust||Affected||-||17 Sep 2002|
CVSS Metrics (Learn More)
Thanks to Rudi Carell for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
- CVE IDs: Unknown
- Date Public: 05 Nov 2001
- Date First Published: 18 Sep 2002
- Date Last Updated: 18 Sep 2002
- Severity Metric: 2.14
- Document Revision: 5
If you have feedback, comments, or additional information about this vulnerability, please send us email.