VMware Studio虚拟应用设备WEB接口文件上传目录遍历漏洞

漏洞起因
输入验证错误
 
影响系统
VMWare Studio 2.0 beta
 
不受影响系统
VMWare Studio 2.0
VMWare Studio 1.0
 
危害
远程攻击者可以利用漏洞上传任意文件到虚拟设备的任意目录中。
 
攻击所需条件
攻击者必须访问VMware Studio。
 
漏洞信息
VMware Studio是一款用于开发,配置,定制虚拟应用程序和应用设备的解决方案。
VMware Studio支持的web接口组件不正确过滤用户输入,远程攻击者可以利用漏洞上传文件到VMware Studio虚拟应用设备上的任意目录中。
不过此漏洞不影响由 Studio 2.0 beta建立的虚拟机。
 
测试方法
 
厂商解决方案
用户可联系供应商获得相应产品的补丁或升级程序:
VMware Studio 2.0 build 1017-185256
———————————–
http://www.vmware.com/support/developer/studio/
Release notes:
http://www.vmware.com/support/developer/studio/studio20/release_notes.ht
ml
VMware Studio appliance in ZIP
(md5sum:58cb40704d12f4ec329b887ae729aba9)
(sha1sum:2931a6a4de7e77016d08c6539cab93a6304ab452)
VMware Studio appliance in OVA
Deployment URL:
http://download3.vmware.com/software/studio/studio20/VMware_Studio-2.0.0
.1017-185256_OVF10.ova
(md5sum:0b0edb02865ae935bcffcccbf346adc2)
(sha1sum:f126339ab0de5b684e60ab7dfd50ddb15f2391cc)
VMware Studio appliance in OVF 1.0
Deployment URL:
http://download3.vmware.com/software/studio/studio20/VMware_Studio-2.0.0
.1017-185256_OVF10.ovf
(md5sum:a3dfca29578a75b0440be3419396c85c)
(sha1sum:67f08e73de18ddeea257fefe6475f289d643ad77)
VMware Studio appliance in OVF 0.9
Deployment URL:
http://download3.vmware.com/software/studio/studio20/VMware_Studio-2.0.0
.1017-185256_OVF09.ovf
(md5sum:959c61270dc872be2f5e65e59480852d)
(sha1sum:ac3c2d612f0b877f10ca607467b6a95b31ed3dd7)
VMDK associated to the OVF 1.0 and OVF 0.9 descriptor
(md5sum:617ec59063d2ba180b19f680fb1b49b1)
(sha1sum:eb1d474cde175a9e042c9613eae31822843394cf)
VMware Studio Plugin for Eclipse in ZIP
(md5sum:9970df718f08f92c053758187c979293)
(sha1sum:2d5a9a8d3d68faa3afd317b148f060a74cbd359a)
 
漏洞提供者
Claudio Criscione

发表评论?

0 条评论。

发表评论