[VIM] vendor dispute for CAN-2005-1244 (NetIQ iSeries directory traversal)

Steven M. Christey coley at mitre.org
Fri Oct 14 13:48:21 EDT 2005


CVE received an email from NetIQ disputing the following issue.  The
dispute was apparently confirmed by another VDB.  In the original
report, the researcher claims that NetIQ did not respond to his
inquiries, which probably contributed to the likely-incorrect report.

- Steve


======================================================
Candidate: CAN-2005-1244
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1244
Reference: BUGTRAQ:20050420 Canonicalization and directory traversal in iSeries FTP security products
Reference: URL:http://www.securityfocus.com/archive/1/396628
Reference: MISC:http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf

** DISPUTED **

Directory traversal vulnerability in the third party tool from NetIQ,
as used to secure the iSeries AS/400 FTP server, allows remote
attackers to access arbitrary files, including those from qsys.lib,
via ".." sequences in a GET request.  NOTE: the vendor has disputed
this issue, saying that "neither NetIQ Security Manager nor our
iSeries Security Solutions are vulnerable."


More information about the VIM mailing list