A10 Networks Loadbalancer - Directory Traversal

EDB-ID: 31261 CVE: N/A OSVDB-ID: 102657
Verified: Author: xistence Published: 2014-01-29
Download Exploit: Source Raw Download Vulnerable App: N/A

xistence < xistence[at]0x90[.]nl >

Affected products:

A10 Networks Loadbalancer (Soft)AX <=2.6.1-GR1-P5 & <=2.7.0 build 217

Affected vendors:


Product description:

SupportCenter Plus is a web-based customer support software that lets
organizations effectively manage customer tickets,
their account & contact information, the service contracts and in the
process providing a superior customer experience.


[ 0x01 - Directory Traversal ]

A10 Networks (Soft)AX <=2.6.1-GR1-P5 & <=2.7.0 build 217 is prone to an
unauthenticated directory traversal vulnerability.
It's possible to download any file on the remote AX device with root
privileges, without the need to authenticate to the website.

The bug was fixed earlier in A10 Tracking ID "82150" according to the
release notes, however the fix is not sufficient and can be bypassed.

The new protection seems to make sure files are under the /a10data/tmp dir

By sending a GET request to
and thus keeping /a10data/tmp, we can bypass this. So if we would like
to download the file /etc/shadow we send a GET request to "https://

Or if we would like to download a certificate key file: "https://

WARNING: Downloading a file will delete it from the AX device!


Upgrade to a newer version.


Fixed somewhere back in 2013 :)