extent technologies rbs isp 2.5 - Directory Traversal

Author: anon
type: remote
platform: multiple
port: 8002.0
date_added: 2000-09-21 
date_updated: 2012-08-04 
verified: 1 
codes: CVE-2000-1036;OSVDB-420 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/1704/info

A remote user is capable of gaining read access to any file residing in the same directory of a host running Extent RBS ISP through directory traversal. Appending '../' to the 'image' variable request on port 8002 will enable a user to read any available file includeing credit card details, username, password etc.

For example:

http://target:8002/Newuser?Image=../../database/rbsserv.mdb