Entrust GetAccess does not properly validate the CGI variable "LOCALE" and may be exploited to read arbitrary files on the server.
Entrust GetAccess is a web software product for identifying users of a web site. Entrust GetAccess takes a CGI variable named "LOCALE" specifying a server directory in which to find international localization files. Entrust GetAccess does not adequately validate the LOCALE value to remove '../' and other character sequences allowing directory traversal.
A remote attacker can read any file on the server to which the web server process has read privileges.
Apply a patch
For more information, login to:
Thanks to Rudi Carell for reporting this vulnerability.
This document was written by Shawn Van Ittersum.
|Date First Published:||2002-09-18|
|Date Last Updated:||2002-09-18 14:09 UTC|