Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   NetSupport Manager Vendors:   NetSupport (Productive Computer Insight)
PCI NetSupport Manager Directory Traversal Flaw Lets Remote Users View Files Located Anywhere on the Managed Host
SecurityTracker Alert ID:  1003887
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 22 2002
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 7
Description:   A vulnerability was reported in PCI's NetSupport Manager remote control software for Windows. A remote user can view files located anywhere on the system.

It is reported that a remote user can view and download files from hosts running NetSupport Manager when the web extensions are configured.

Some demonstration exploit URLs are provided:



Impact:   A remote user can view files located anywhere on the system.
Solution:   It is reported that the vendor has corrected the problem (and that version 7 may include the correction).
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Webtraversal in PCI Netsupport Manager (all version up to 7 using

It is possible to view and download files on machines 
running  PCI Netsupport Manager (all version up to 7) 
that have the  web extensions switched on (default 
port 80). This has only been tested on Windows NT 4 
(server and workstation) and Windows 2000 (Pro , 
Server and Advanced server).
Example on a standard version 5.5 install (location 
c:\nsm) the URL to view the boot.ini file in the root 
would be:

version 6 +:

I have received confirmation from PCI that this bug is 
fixed in version 7 onwards



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC