Executive Summary
Summary | |
---|---|
Title | GE Fanuc Proficy Information Portal allows arbitrary file upload and execution |
Informations | |||
---|---|---|---|
Name | VU#339345 | First vendor Publication | 2008-01-25 |
Vendor | VU-CERT | Last vendor Modification | 2008-01-31 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#339345GE Fanuc Proficy Information Portal allows arbitrary file upload and executionOverviewGE Fanuc Proficy Information Portal allows authenticated users to upload arbitrary files. An attacker could upload an executable server-side script (e.g., an .asp shell on a Microsoft Internet Information Server platform) and execute arbitrary commands with the privileges of the web server.I. DescriptionGE Fanuc Proficy Information Portal is a web-based systems reporting tool often used to consolidate and integrate online and process-based systems data between Supervisory Control And Data Acquisition (SCADA) systems and the corporate network. Proficy Information Portal supports an "Add WebSource" feature that allows authenticated users to upload arbitrary files to the server. An uploaded file can subsequently be executed by requesting it with a web browser.This vulnerability affects GE Fanuc Proficy Information Portal up to and including version 2.6. This vulnerability will be addressed with a Software Improvement Module (SIM) for PROFICY 2.6. For more information about the availablitiy of this SIM, Proficy customers should refer to GE Fanuc knowledge base article KB12460.
References
This vulnerability was reported by Eyal Udassin of C4 Security. This document was written by Chris Taschner.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/339345 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
41333 | GE Fanuc Proficy Real-Time Information Portal Unrestricted File Upload Arbitr... |
Snort® IPS/IDS
Date | Description |
---|---|
2017-08-03 | GE Fanuc Real Time Information Portal arbitrary file write attempt RuleID : 43436 - Revision : 2 - Type : SERVER-WEBAPP |