Bitdefender's Update Server discloses information
Bitdefender includes an Update Server for local networks in its business product range. This server contains a directory traversal vulnerability which allows attackers to view any data stored on the server, warns Oliver Karow in a security advisory.
According to Karow, the http.exe Update Server runs at LocalSystem privilege level. This allows files stored on the server system to be read using these privileges. Karow offers the example command line: echo -e "GET /../../boot.ini HTTP/1.0\r\n\r\n" | nc <server> <port>, which reads boot.ini.
So far, no updates have been made available for BitDefender Security for Fileservers, Enterprise Manager or any other products which incorporate the Update Server. Until Bitdefender releases updated software, administrators are advised to configure their clients to retrieve updates from Bitdefender's servers and disable their local Update Servers.
- BitDefender Update Server - Unauthorized Remote File Access Vulnerability, Oliver Karow's security advisory on Full Disclosure