CVE-2008-2439 – TrendMicro OfficeScanNT Listener Traversal Arbitrary File Access

https://notcve.org/view.php?id=CVE-2008-2439

Directory traversal vulnerability in the UpdateAgent function in TmListen.exe in the OfficeScanNT Listener service in the client in Trend Micro OfficeScan 7.3 Patch 4 build 1367 and other builds before 1372, OfficeScan 8.0 SP1 before build 1222, OfficeScan 8.0 SP1 Patch 1 before build 3087, and Worry-Free Business Security 5.0 before build 1220 allows remote attackers to read arbitrary files via directory traversal sequences in an HTTP request. NOTE: some of these details are obtained from third party information. Vulnerabilidad de salto de directorio en la función UpdateAgent en TmListen.exe en el servicio OfficeScanNT Listener del cliente de Trend Micro OfficeScan v7.3 Patch 4 build v1367 y otros builds versiones anteriores a v1372, OfficeScan 8.0 SP1 versiones anteriores a build v1222, OfficeScan 8.0 SP1 Patch 1 versiones anteriores a build 3087, y Worry-Free Business Security 5.0 versiones anteriores a build v1220 permite a atacantes remotos leer ficheros de su elección a través de secuencias de salto de directorio en una petición HTTP. NOTA: algunos de estos detalles han sido obtenidos a partir de la información de terceros. • http://secunia.com/advisories/31343 http://secunia.com/advisories/32097 http://secunia.com/secunia_research/2008-39 http://www.securityfocus.com/archive/1/496970/100/0/threaded http://www.securityfocus.com/bid/31531 http://www.securitytracker.com/id?1020975 http://www.trendmicro.com/ftp/documentation/readme/OSCE8.0_SP1_Patch1_CriticalPatch_3087_Readme.txt http://www.trendmicro.com/ftp/documentation/readme/OSCE_7.3_Win_EN_CriticalPatch_B1372_Readme.txt http://www.trendmicro.com/ftp/ • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •