GE Proficy Real-Time Information Portal 'rifsrvd.exe' Directory Traversal Vulnerability

Bugtraq ID:	52439
Class:	Input Validation Error
CVE:	CVE-2012-0232
Remote:	Yes
Local:	No
Published:	Mar 13 2012 12:00AM
Updated:	Aug 22 2012 05:55PM
Credit:	Luigi Auriemma
Vulnerable:	General Electric Proficy Real-Time Information Portal 3.5 General Electric Proficy Real-Time Information Portal 3.0 SP1 General Electric Proficy Real-Time Information Portal 3.0 General Electric Proficy Real-Time Information Portal 2.6
Not Vulnerable:	General Electric Proficy Real-Time Information Portal 2.5

GE Proficy Real-Time Information Portal 'rifsrvd.exe' Directory Traversal Vulnerability

GE Proficy Real-Time Information Portal is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data.

Exploiting the issue may allow an attacker to overwrite arbitrary files on the affected system. This could aid in further attacks.

GE Proficy Real-Time Information Portal versions 3.0 and 2.6 are vulnerable.

GE Proficy Real-Time Information Portal 'rifsrvd.exe' Directory Traversal Vulnerability

Attackers can exploit this issue with a browser.

GE Proficy Real-Time Information Portal 'rifsrvd.exe' Directory Traversal Vulnerability

Solution:
Updates are available. Please see the references for more information.

GE Proficy Real-Time Information Portal 'rifsrvd.exe' Directory Traversal Vulnerability

References:

• Proficy Real-Time Information Portal Homepage (General Electric )
  
• ICSA-12-032-03�??GE INTELLIGENT PLATFORMS PROFICY REAL-TIME INFORMAT ION PORTAL (ICS-CERT)
  
• ZDI-12-148 : GE Proficy Real-Time Information Portal Remote Interface Service Re (HP)