Today I published an advisory for the BitDefender Update Server. BitDefender is one of the larger vendors for Antivirus software.
The update servers function is to deliver new Antivirus patterns and engine updates to the software clients. Therefore it is using the http protocol and a http daemon. The daemon does not require authentication and is vulnerable to the oldest vulnerability known for webservers: The directory traversal attack.
This means everyone who is able to connect to the port of the Update Server with his webbrowser, is able to read all files on the server (at least on the same partition/drive), including Windows configuration files, password files etc., etc.
It also seems, that BitDefender does not have a dedicated response team, responsible for vulnerabilities within their own products. The mail I send to them, in order to inform them about their vulnerability was responded by an automated mail, requesting me to register on their website in order to access their support material…… sorry guys, i dont have time for such games…. please learn how other AV- and Softwarevendors are handling this!!!
You can find the original advisory here.
More of my humble advisories can be found on my website….