Think you have a false positive on this rule?

Sid 1-47472


SERVER-WEBAPP Advantech WebAccess gmicons.asp directory traversal attempt


This event is generated when an attempted directory traversal attack is conducted against an internal server running Advantech WebAccess.


Web Application Attack


CVSS base score

CVSS impact score

CVSS exploitability score

Confidentiality Impact

Integrity Impact

Availability Impact

Detailed information

Thevulnerabilityexistswhenthegmicons.asppage,exposedbytheAdvantechWebAccesswebserverlisteningonport80(HTTP), parses a multipart/form-data POST request. In particular, there is a lack of appropriate validation on the filename parameter of the picFile sub-part prior to utilizing it to form the resulting location where the picture file will be uploaded to. By placing NULL bytes within the correct location within the filename parameter, an attacker can bypass the implemented file upload checks to upload arbitrary files to the Advantech WebAccess webserver. Additionally, due to a lack of authorization checks and improper protection against directory traversal attacks, it is possible for unauthenticated attackers to exploit this vulnerability to upload files to any location on the Advantech WebAccess server that the web service has access to. CVE-2017-16736: An Unrestricted Upload Of File With Dangerous Type issue was discovered in Advantech WebAccess versions prior to 8.3. WebAccess allows a remote attacker to upload arbitrary files.

Affected systems

Ease of attack

Simple, no public proofs of concept yet.

False positives

None known.

False negatives

None known.

Corrective action

Patch as soon as corporate policies allow.


  • Cisco's Talos Intelligence Group

Additional References