Wednesday, April 25, 2012

Sybase EAServer 6.3.1 Directory Traversal Vulnerability

Sybase EAServer is the leading solution for distributed and Web-enabled PowerBuilder applications. EA Server can be used to run multiple websites, portals or Web applications. It allows access from Web browsers and provides a development platform for enterprise Web services.

Sow Ching Shiong, an independent vulnerability researcher has identified a Directory Traversal vulnerability in Sybase EAServer. This issue was discovered in a default installation of Sybase EAServer 6.3.1 Developer Edition running on Windows 2003 Server. Other earlier versions may also be affected.

Proof of concept

Sybase has released patches which address this issue. Please see the references for more information.

Vendor URL:

Disclosure Timeline
2011-01-25 - Vulnerability discovered.
2011-01-25 - Vulnerability reported to iDefense.
2011-03-29 - iDefense confirmed the vulnerability and contacted the vendor.
2011-05-23 - Patch released.
2011-05-25 - Advisory published by iDefense.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.