Solutionary ID: SERT-VDN-1012
Risk Rating: Medium
CVE ID: CVE-2011-3694
Product: NetSaro Enterprise Messenger Server
Application Vendor: SEM Software
Vendor URL: http://www.netsaro.com
Discovered by: Rob Kraus and the Solutionary Security Engineering Research Team (SERT)
Vendor notification date: 07/07/2011
Vendor response date: No Response
Vendor acknowledgment date: No Response
Public disclosure date: 08/22/2011
Type of vulnerability: Source Code Disclosure
Exploit Vectors: Local and Remote
Vulnerability Description: A vulnerability exists in the NetSaro Enterprise Messenger Server Administration Console allowing a remote attacker to obtain unauthenticated access to the application's source code. Attackers may make HTTP GET requests and append a Null Byte (%00) to allow download of the source code for the application's Web pages. An attacker does not need to authenticate to obtain access to source code for pages that usually require authentication prior to viewing. More information about this class of vulnerability can be obtained by visiting: http://cwe.mitre.org/data/definitions/158.html - Improper Neutralization of Null Byte of NUL Character – CWE 158
Tested on: Windows XP, SP3, with NetSaro Enterprise Messenger Server v2.0 default installation.
Affected software versions: NetSaro Enterprise Messenger Server v2.0 (previous versions may also be vulnerable)
Impact: Attackers may be able to obtain access to the source code for the application and use information found to conduct further attacks against the application.
Fixed in: None.
Remediation guidelines: Limit access to the application and apply security patches as they become available.