PT-2014-07: Sensitive Information Disclosure in Solar-Log Vulnerable productsSolar-Log 200 Solar-Log 500 Solar-Log 800e Solar-Log 1000 Firmware: all versions before 3.1.1-66Link: http://www.solar-log.com/Severity levelSeverity level: Medium Impact: Information Disclosure Access Vector: Remote CVSS v2: Base Score: 5.0 Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)CVE: not assignedSoftware descriptionSolar-Log – is a component of a photoelectric control system intended to collect data, implement a remote diagnostics and system performance monitoring.Vulnerability descriptionThe specialists of the Positive Research center have detected a Sensitive Information Disclosure vulnerability in Solar-Log.CGI scripts used for backup and restore system data and configuration are not protected with password (even if local authentication is enabled) and could be accessed by an attacker.How to fixUpdate your firmware up to the latest versionAdvisory status 11.04.2014 - Vendor gets vulnerability details 14.04.2014 - Vendor releases fixed version and details 05.05.2014 - Public disclosureCreditsThe vulnerability was detected by Artem Chaykin, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2014-07 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/