#######################################################################
Luigi Auriemma
Application: Acronis True Image Windows Agent
http://www.acronis.com/enterprise/products/ATIES/windows-agent.html
Versions: <= 1.0.0.54
(included in Acronis True Image Enterprise Server
9.5.0.8072 and the other True Image packages)
Platforms: Windows
#######################################################################
Luigi Auriemma
Application: Acronis True Image Group Server
http://www.acronis.com/enterprise/products/ATIES/group-server.html
Versions: <= 1.5.19.191
(included in Acronis True Image Enterprise Server
9.5.0.8072 and the other True Image packages)
Platforms: Windows
#######################################################################
Luigi Auriemma
Application: Acronis PXE Server
http://www.acronis.com/enterprise/products/snapdeploy/
Versions: <= 2.0.0.1076
Platforms: Windows
Bugs: A] directory traversal
B] NULL pointer
#######################################################################
Luigi Auriemma
Application: Acronis PXE Server
http://www.acronis.com/enterprise/products/snapdeploy/
Versions: <= 2.0.0.1076
Platforms: Windows
Bugs: A] directory traversal
B] NULL pointer
In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name "FILES.SDB" to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication:
https://www.SiteRunningEFSWS.com/files.sdb
This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this:
"V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe"
"D:\anotherdir\music\crystalmethod\boom.mp3"
One can now access files directly by removing the drive letter and top directory as follows:
https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3
In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name "FILES.SDB" to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication:
https://www.SiteRunningEFSWS.com/files.sdb
This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this:
"V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe"
"D:\anotherdir\music\crystalmethod\boom.mp3"
One can now access files directly by removing the drive letter and top directory as follows:
https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3
