CVE-2017-9097 Information

Description

In Anti-Web through 3.8.7 as used on NetBiter FGW200 devices through 3.21.2 WS100 devices through 3.30.5 EC150 devices through 1.40.0 WS200 devices through 3.30.4 EC250 devices through 1.40.0 and other products an LFI vulnerability allows a remote attacker to read or modify files through a path traversal technique as demonstrated by reading the password file or using the template parameter to cgi-bin/write.cgi to write to an arbitrary file.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Reference

http://misteralfa-hack.blogspot.cl/2017/05/apps-industrial-ot-over-server-anti-web.html https://github.com/ezelf/industrial_Tools/tree/master/scadas_server_antiweb/LFI https://www.netbiter.com/docs/default-source/netbiter-english/software/hms-security-advisory-2017-05-24-001-ws100-ws200-ec150-ec250.zip

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

9.1