In association with heise online

22 January 2008, 08:47

Bitdefender's Update Server discloses information

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Bitdefender includes an Update Server for local networks in its business product range. This server contains a directory traversal vulnerability which allows attackers to view any data stored on the server, warns Oliver Karow in a security advisory.

According to Karow, the http.exe Update Server runs at LocalSystem privilege level. This allows files stored on the server system to be read using these privileges. Karow offers the example command line: echo -e "GET /../../boot.ini HTTP/1.0\r\n\r\n" | nc <server> <port>, which reads boot.ini.

So far, no updates have been made available for BitDefender Security for Fileservers, Enterprise Manager or any other products which incorporate the Update Server. Until Bitdefender releases updated software, administrators are advised to configure their clients to retrieve updates from Bitdefender's servers and disable their local Update Servers.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit