📄 الوصف (الإنجليزية)
HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files.
🤖 ملخص AI
CVE-2020-37034 is a path traversal vulnerability in HelloWeb 2.0 that enables unauthenticated remote attackers to download arbitrary system files through manipulated filepath parameters in download.asp. With a CVSS score of 7.5, this vulnerability poses a significant risk to organizations using HelloWeb for web content management, potentially exposing sensitive configuration files, credentials, and system information. The absence of authentication requirements makes this vulnerability particularly critical for Saudi organizations.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: Apr 30, 2026 03:49
🇸🇦 التأثير على المملكة العربية السعودية
This vulnerability primarily affects Saudi government agencies, educational institutions, and small-to-medium enterprises using HelloWeb for website management. Government entities under NCA oversight and educational institutions managing student/staff portals face the highest risk of credential exposure and sensitive document theft. Healthcare organizations using HelloWeb for patient information portals could face HIPAA-equivalent compliance violations. The vulnerability's unauthenticated nature makes it particularly dangerous for organizations with internet-facing HelloWeb installations without proper network segmentation.
🏢 القطاعات السعودية المتأثرة
Government
Education
Healthcare
Small and Medium Enterprises
Telecommunications
Financial Services
🎯 تقنيات MITRE ATT&CK
⚖️ درجة المخاطر السعودية (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all HelloWeb 2.0 installations in your environment using network scanning tools
2. Implement network-level access controls restricting access to download.asp to authorized users only
3. Disable download.asp functionality if not actively used
4. Review web server logs for suspicious GET requests to download.asp with directory traversal patterns (../, ..\, %2e%2e)
PATCHING:
1. Upgrade HelloWeb to version 2.1 or later immediately
2. If upgrade is not immediately possible, apply vendor security patches
3. Test patches in non-production environment before deployment
COMPENSATING CONTROLS:
1. Implement Web Application Firewall (WAF) rules to block directory traversal attempts
2. Configure IDS/IPS signatures to detect CVE-2020-37034 exploitation patterns
3. Restrict file system permissions on sensitive directories
4. Implement input validation and sanitization at the application level
DETECTION RULES:
1. Monitor for GET requests containing: ../, ..\, %2e%2e, %252e in download.asp parameters
2. Alert on access to system files (web.config, system.ini, hosts, passwd)
3. Track failed and successful file downloads from download.asp
4. Implement SIEM correlation rules for multiple traversal attempts from single source
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات HelloWeb 2.0 في بيئتك باستخدام أدوات المسح
2. تطبيق عناصر تحكم الوصول على مستوى الشبكة لتقييد الوصول إلى download.asp
3. تعطيل وظيفة download.asp إذا لم تكن قيد الاستخدام
4. مراجعة سجلات خادم الويب للطلبات المريبة التي تحتوي على أنماط اجتياز المسار
التصحيح:
1. ترقية HelloWeb إلى الإصدار 2.1 أو أحدث فوراً
2. تطبيق تصحيحات الأمان من المورد إذا لم تكن الترقية ممكنة
3. اختبار التصحيحات في بيئة غير الإنتاج قبل النشر
عناصر التحكم البديلة:
1. تطبيق قواعد جدار حماية تطبيقات الويب لحجب محاولات اجتياز المسار
2. تكوين توقيعات IDS/IPS للكشف عن أنماط الاستغلال
3. تقييد أذونات نظام الملفات على الدلائل الحساسة
4. تطبيق التحقق من صحة المدخلات على مستوى التطبيق
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.8.2.1 - Classification of Information
A.8.2.3 - Handling of Assets
A.12.2.1 - Controls Against Malware
A.12.4.1 - Event Logging
A.12.4.3 - Administrator and Operator Logs
A.13.1.1 - Information Security Incident Procedures
🔵 SAMA CSF
Governance - Policy and Risk Management
Governance - Compliance and Audit
Protection - Access Control
Protection - Data Protection
Detection - Monitoring and Logging
Response - Incident Management
🟡 ISO 27001:2022
5.1 - Policies for information security
6.1 - Information security roles and responsibilities
6.2 - Information security in supplier relationships
8.1 - Responsibility for assets
8.2 - Classification of information
8.3 - Handling of assets
A.5.1.1 - Policies for information security
A.6.1.1 - Access control
A.8.1.1 - Asset management
A.8.2.1 - Classification
A.12.4.1 - Event logging
🟣 PCI DSS v4.0.1
Requirement 1 - Install and maintain a firewall configuration
Requirement 2 - Do not use vendor-supplied defaults
Requirement 6 - Develop and maintain secure systems and applications
Requirement 10 - Track and monitor all access to network resources