DDIVRT-2013-55 LenovoEMC StorageCenter PX4-300R Unauthorized Remote File Retrieval
Date Discovered: October 10, 2013
Discovery Credit: Evan Sylvester and r@b13$
Vulnerability Description:
The web server for the LenovoEMC StorageCenter PX4-300R allows unauthenticated remote users to retrieve specific files that are located outside of the web root. Malicious users would need to have direct knowledge of the directory structure to exploit this vulnerability.
Solution Description:
LenovoEMC has addressed this vulnerability and released an updated version of the firmware for this device. Please refer to the following page for specific instructions on how to obtain and apply the update:
http://download.lenovo.com/lenovoemc/na/en/
Tested Systems / Software (with versions):
LenovoEMC StorageCenter PX4-300R v4.0.4.146
BIOS: px4 fsbfv102
Vendor Contact:
LenovoEMC
https://support.lenovoemc.com
LenovoEMC StorageCenter PX4-300R Unauthorized Remote File Retrieval
Posted on November 19, 2013