This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Directory Traversal in `data/config/image.do`. π **Consequences**: Attackers read **arbitrary files** via `..` in `realName` param. Critical data exposure!
Q2Root Cause? (CWE/Flaw)
π‘οΈ **CWE**: Not specified in data. π **Flaw**: Poor input validation on `realName` parameter. Allows path traversal characters (`..`) to escape intended directory.
Q3Who is affected? (Versions/Components)
π’ **Vendor**: Netgear (NetGear). π¦ **Product**: Management System NMS300. π **Version**: 1.5.0.11 **and earlier**. β οΈ Check your version!
Q4What can hackers do? (Privileges/Data)
π» **Privileges**: Remote unauthenticated access. π **Data**: Read **any file** on the server. No admin rights needed to start the attack. π΅οΈββοΈ
Q5Is exploitation threshold high? (Auth/Config)
π **Auth**: **Low/None**. Remote attackers can exploit without login. π **Config**: Direct HTTP request to `image.do`. Easy to trigger. π
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Exploits**: Yes! Multiple PoCs exist. π Links: Exploit-DB #39412, PacketStorm, Rapid7 module. π **Wild Exploitation**: High risk due to public availability.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for `data/config/image.do` endpoint. π§ͺ **Test**: Send request with `realName=../../etc/passwd`. π **Tool**: Use Nmap scripts or Burp Suite for manual verification.
Q8Is it fixed officially? (Patch/Mitigation)
π οΈ **Patch**: Update to version **> 1.5.0.11**. π’ **Official**: Netgear released fixes. Check vendor site for latest firmware. π
Q9What if no patch? (Workaround)
π§ **Workaround**: Block external access to `image.do` via firewall. π« **Mitigation**: Restrict network exposure of NMS300. π No official patch mentioned for older versions.
Q10Is it urgent? (Priority Suggestion)
π₯ **Priority**: **HIGH**. π **Published**: Feb 2016. π **CVSS**: Not listed, but remote file read is severe. β‘ **Action**: Patch immediately or isolate system. π¨