Multiple vulnerabilities have been identified in MegaBrowser allowing malicious people to conduct directory traversal and enumerate valid user accounts.
One problem is that the HTTP service doesn't handle requests with "../" sequences correct. Allowing trivial directory traversal.
The other problem is that the FTP service returns different answers when invalid usernames are supplied compared to valid usernames.
This has been reported for version 0.71b.
Solution: There is no immediate solution. Use a different web server or implement a firewall or proxy with URL filtering capabilities to filter malicious request. Make sure that all inactive user accounts are disabled and that active accounts uses strong passwords.
Provided and/or discovered by: JeiAr of GulfTech Computer
Do you have additional information related to this advisory?
Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this
information to firstname.lastname@example.org
Subject: MegaBrowser Multiple Vulnerabilities
No posts yet
You must be logged in to post a comment.
Secunia Customer Login
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.