Trustwave's SpiderLabs Security Advisory TWSL2011-005: Directory Traversal in Trustwave WebDefend Enterprise Published: 2011-06-17 Version: 1.0 Vendor: Trustwave (www.trustwave.com) Product: Trustwave WebDefend Enterprise Version affected: Versions Prior to 5.0 Patch 2 (7.01.907-4.4) Product description: Trustwave's WebDefend(R) Web application firewall appliance provides Web applications with real-time, continuous security against attacks and data loss, ensure they operate as intended and help them comply with industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS). Credit: Andrew Wilson of Trustwave's SpiderLabs Finding: Privilege escalation in administrative console WebDefend uses a thick client to communicate with the application server. Users with administrative access to the local system in which the client software is executed can modify 'download file' function calls in order to obtain arbitrary files from the management server. These files may contain sensitive data that are above the privilege level of the current user. Remediation Steps: Customers should upgrade to version 5.0 Patch 2 (7.01.907-4.4) in order to remediate this issue. Communication Timeline: 6/17/11 - Advisory released About Trustwave's SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.