Trend Micro Control Manager file disclosure vulnerability

A vulnerability in Trend Micro Control Manager can be exploited by malicious users to disclose sensitive information, according to Secunia.

Input passed via the “module” parameter to WebApp/widget/proxy_request.php (when “sid” is set to “undefined” and “serverid”, “SORTFIELD”, “SELECTION”, and “WID” are set) is not properly verified before being used to read files.

This can be exploited to read arbitrary files from local resources via directory traversal sequences.

The vulnerability is confirmed in version 5.5 (Build 1250). Other versions may also be affected.

Solution: Apply hotfix 1470. Please contact the vendor for details.