Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Portfolio NetPublish Vendors:   Extensis
Portfolio NetPublish Input Validation Hole Lets Remote Users Traverse the Directory
SecurityTracker Alert ID:  1015393
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 21 2005
Impact:   Disclosure of system information, Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 7
Description:   A vulnerability was reported in Portfolio NetPublish. A remote user can view files on the target system.

The '' script does not properly validate user-supplied input in the 'template' parameter. A remote user can supply a specially crafted parameter value containing '../' directory traversal characters to view files on the target system that are located outside of the web document directory.

A demonstration exploit URL is provided:


The vendor was notified on October 11, 2005.

Andy Davis and Mazin Faour of Information Risk Management researched this vulnerability.

The original advisory is available at:

Impact:   A remote user can view files on the target system with the privileges of the target web service.
Solution:   No solution was available at the time of this entry.

The vendor has provided a workaround, described at:

Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.

 Source Message Contents

Subject:  IRM 012: Portfolio Netpublish Server 7 is vulnerable to a Directory

IRM Security Advisory No. 012

Portfolio Netpublish Server 7 is vulnerable to a Directory Traversal

Vulnerablity Type / Importance: Information Leakage / High

Problem discovered: October 11th 2005
Vendor contacted: October 11th 2005
Advisory published: December 19th 2005


NetPublish Server from Extensis is a database-driven file cataloging
which is accssible via a web interface. The service is vulnerable to a 
directory traversal attack, which allows access to files outside the 
web root directory.


During a recent pentration test IRM identified a security issue associated
the Portfolio Netpublish Server 7 product. Arbitrary files could be
retrieved from 
the server by using a 'directory traversal' attack within the URL, as shown 
below (information relating to our client has been obscured):

As a result of supplying the above URL the contents of the file 'boot.ini'
are displayed in the web browser. Furthermore, by default the server runs 
with the privilege level of the local SYSTEM account (on Windows) and could 
therefore be used to retrieve the contents of any file on the server. The
is reduced if the product is run on Unix, as the privilege level used is
of the 'nobody' account.

Tested Versions:

Netpublish Server 7 

Tested Operating Systems:

Microsoft Windows 2000

Vendor & Patch Information:

Extensis were contacted on October 11th 2005 and although they have not
a patch to prevent the directory traversal they have released a
article on their web site, which attempts to mitigate the issue. The article
linked below.



Research & Advisory: Andy Davis and Mazin Faour


All information in this advisory is provided on an 'as is'
basis in the hope that it will be useful. Information Risk Management
Plc is not responsible for any risks or occurrences caused
by the application of this information.

A copy of this advisory may be found at:


Information Risk Management Plc.
Kings Building,
Smith Square, London,
United Kingdom 
+44 (0)207 808 6420


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC