Research

NetSaro Enterprise Messenger Server - Source Code Disclosure

Title: NetSaro Enterprise Messenger Server Administration Console Null Byte Request Source Code Disclosure

Solutionary ID: SERT-VDN-1012

CVE ID: CVE-2011-3694

Product: NetSaro Enterprise Messenger Server

Application Vendor: SEM Software

Vendor URL: http://www.netsaro.com

Date discovered: 7/6/2011

Discovered by: Rob Kraus and the Solutionary Engineering Research Team (SERT)

Vendor notification date: 7/7/2011

Vendor response date: No Response

Vendor acknowledgment date: No Response

Public disclosure date: 8/22/2011

Type of vulnerability: Source Code Disclosure

Exploit Vectors: Local and Remote

Vulnerability Description: A vulnerability exists in the NetSaro Enterprise Messenger Server Administration Console allowing a remote attacker to obtain unauthenticated access to the applications source code. Attackers may make HTTP GET requests and append a Null Byte (%00) to allow download of the source code for the applications web pages. An attacker does not need to authenticate to obtain access to source code for pages that usually require authentication prior to viewing. More information about this class of vulnerability can be obtained by visiting: http://cwe.mitre.org/data/definitions/158.html - Improper Neutralization of Null Byte of NUL Character – CWE 158

Tested on: Windows XP, SP3, with NetSaro Enterprise Messenger Server v2.0 default installation.

Affected software versions: NetSaro Enterprise Messenger Server v2.0 (previous versions may also be vulnerable)

Impact: Attackers may be able to obtain access to the source code for the application and use information found to conduct further attacks against the application.

Fixed in: None Available

Remediation guidelines: Limit access to the application and apply security patches as they become available.

Risk Level: 5

(CVSS version 2)

Low Risk