SNMP Web Pro Directory Traversal Vulnerability Allowing Arbitrary File Read

A directory traversal vulnerability has been identified in SNMP Web Pro version 1.1, specifically within the cgi-bin/upload.cgi script. This vulnerability allows unauthenticated remote attackers to read arbitrary files on the server. The issue arises because the CGI script concatenates user-supplied parameters directly to a base path without proper validation or sanitization, enabling attackers to manipulate the file path and access sensitive files. Additionally, the vulnerability introduces a header injection risk by echoing unsanitized parameters into the Content-Disposition header.

Impact

Exploitation of this vulnerability leads to unauthorized information disclosure, allowing attackers to retrieve any files accessible to the web server's CGI runtime. This could include sensitive system files like /etc/passwd or /etc/shadow, which may contain critical information or credentials that could be used to gain unauthorized access to the system. Such file disclosures could also be leveraged for remote access, privilege escalation, or activating other services, depending on the system's configuration.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the upload.cgi script in the cgi-bin directory. Include a params argument that contains directory traversal sequences, such as ../../../../etc/passwd. The crafted request will bypass the intended directory restrictions and return the contents of the specified file in the HTTP response.