A zero-day vulnerability in VMWare's View desktop virtualization software allowed an unauthenticated remote hacker to access directories in the root file system of the View Connection Server and View Security Server. The flaw, which VMWare described as a "critical directory traversal vulnerability," was recently patched after being disclosed in September, according to the company.
"A remote unauthenticated attacker can use this weakness to retrieve arbitrary files from the affected server's underlying root file system," researchers wrote on the DDI Labs blog, assigning the flaw a "high" severity rating. "This can be accomplished by submitting URL encoded HTTP GET requests that traverse out of the affected subdirectory."
CRN noted that Danish research firm Secunia and the National Vulnerability Database both gave the exploit middling threat ratings, judging it a 3 out of 5 and a 5.0 out of 10, respectively. The National Vulnerability Database highlighted the exploit's low access complexity and the lack of need for authentication.
Developers can reduce the danger of a directory traversal vulnerability by building security measures such as input validation into their code. By using tools such as source code analysis, programmers can identify points in software that lack such controls and implement them in advance of release.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.