ezStats Multiple Products Information Disclosure Weakness


Description   A weakness has been discovered in multiple ezStats products, which can be exploited by malicious people to disclose certain system information.
The application provides unrestricted access to admin/apitest.php.
For more information see vulnerability #1 in:
SA52104
List of affected products:
* ezStats2 for Playstation Network version 1.10.
* ezStats2 Serverviewer version 0.62.
* ezStats2 for Medal of Honor Warfighter version 1.0.
     
Vulnerable Products   Vulnerable Software:
ezStats2 for Medal of Honor Warfighter 1.xezStats2 for Playstation Network 1.xezStats2 Serverviewer 0.x
     
Solution   No official solution is currently available.
     
CVE  
     
References   http://se3c.blogspot.dk/2013/02/ezstats2-for-playstation-network-v110.html
http://se3c.blogspot.dk/2013/02/ezstats2-serverviewer-v062-local-file.html
http://se3c.blogspot.dk/2013/02/ezstats2-for-medal-of-honor-warfighter.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
Directory traversal backward root folder
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2013-02-08 

 Target Type 
Server 

 Possible exploit 
Remote