Severe issue in SlideShowPro Director

Clear Skies Security has just posted an advisory for users of SlideShowPro Director. Anyone using this product that has not upgraded in the last 2 weeks is strongly urged to do so. Versions prior to 1.3.9 (released 7/23) can be exploited to access files directly through the web server.

This issue was found during a penetration test of a customer last month. Clear Skies has been working with the vendor directly to review the security risks, and corrective actions.  Coming from a large security organization, it has been very refreshing to be able to follow through on these types of issues directly so our findings can benefit the public at large.

Lastly, Clear Skies would like to thank the vendor, Dominey Design. They were thankful to receive the vulnerability information and were very responsive, quickly addressing the issue and providing an update within days of initial contact.

For the more technically inclined, Clear Skies consultant, Scott Miles, will be posting a separate entry on how this kind of issue is found, which really highlights the value that a good penetration test should provide.