CVE-2005-1939

Step 1: Target Identification: The attacker identifies a vulnerable WhatsUp Small Business 2004 installation, typically by port scanning for TCP port 8022.

Step 2: Payload Construction: The attacker crafts a malicious HTTP request targeting the Report service on port 8022. The request includes a URL path containing '..' sequences to navigate the file system.

Step 3: Request Delivery: The attacker sends the crafted HTTP request to the vulnerable server.

Step 4: Vulnerability Trigger: The Report service receives the malicious request and attempts to access the specified file. Due to the lack of input validation, the '..' sequences are not filtered.

Step 5: File Access: The server, interpreting the '..' sequences, traverses the directory structure and retrieves the requested file (e.g., sensitive configuration files, password files).

Step 6: Data Exfiltration: The server sends the contents of the requested file back to the attacker, completing the data breach.

The vulnerability stems from inadequate input validation within the Report service's file handling logic. Specifically, the service fails to properly sanitize user-supplied input, allowing attackers to inject '..' (dot-dot) sequences into file paths. This manipulation allows attackers to navigate outside the intended directory and access arbitrary files on the server's file system. The root cause is a missing or insufficient check for path traversal characters, leading to a security flaw that can be easily exploited.