VMWare experiences zero-day directory traversal vulnerability

VMWare experiences zero-day directory traversal vulnerability

on Jan 3, 13 • by Chris Bubinas • with No Comments

A zero-day vulnerability in VMWare's View desktop virtualization software allowed an unauthenticated remote hacker to access directories in the root file system of the View Connection Server and View Security Server. ...

Home » Software Security » VMWare experiences zero-day directory traversal vulnerability

A zero-day vulnerability in VMWare's View desktop virtualization software allowed an unauthenticated remote hacker to access directories in the root file system of the View Connection Server and View Security Server. The flaw, which VMWare described as a "critical directory traversal vulnerability," was recently patched after being disclosed in September, according to the company.

"A remote unauthenticated attacker can use this weakness to retrieve arbitrary files from the affected server's underlying root file system," researchers wrote on the DDI Labs blog, assigning the flaw a "high" severity rating. "This can be accomplished by submitting URL encoded HTTP GET requests that traverse out of the affected subdirectory."

CRN noted that Danish research firm Secunia and the National Vulnerability Database both gave the exploit middling threat ratings, judging it a 3 out of 5 and a 5.0 out of 10, respectively. The National Vulnerability Database highlighted the exploit's low access complexity and the lack of need for authentication.

Developers can reduce the danger of a directory traversal vulnerability by building security measures such as input validation into their code. By using tools such as source code analysis, programmers can identify points in software that lack such controls and implement them in advance of release.

Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Scroll to top