MBLogic HMIServer Directory Traversal vulnerability

The HMIServer component of MBLogic is vulnerable to directory traversal.

Software

Software Link: http://mblogic.sourceforge.net/

Vulnerable Versions: 2011-04-16

Vendor Notification:

# 2012-11-17 # Bug# 3588152

# 2012-12-17 # no reply - advisory released

# 0x01 # Directory Traversal # Unauthenticated

The 'GetWebPage()' function in the './hmiserver/MBWebPage.py' file does not properly sanitize the user-supplied file path used in a call to 'open()'

The function code is as follows:

The following proof of concept is available:

Reference

# OWASP: Path Traversal

Appendix

[TXT] MBLogic HMIServer Directory Traversal vulnerability