DDIVRT-2011-34 Metropolis Technologies OfficeWatch Directory Traversal
High
August 15, 2011
Digital Defense, Inc. Vulnerability Research Team
Credit: Chris Graham and r@b13$
Metropolis Technologies OfficeWatch enables a web server on TCP port 80 that is susceptible to a directory traversal. An attacker may send a …/ (dot-dot-slash) sequence to traverse out of the web root and access arbitrary files on the host.
Until a patch is released by the vendor, it is recommended to restrict access to the web server to authorized hosts only. Access controls can be configured through Windows firewall.
Metropolis Technologies OfficeWatch for Windows 2000/XP/2003/Vista Version 2011.06.20
Tested on Windows Server 2003 and XP