[NEWS] OwnServer Directory Traversal Vulnerability

• Previous message: SecuriTeam: "[NEWS] Cisco Voice Products Vulnerabilities on IBM Servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 22 Jan 2004 15:08:05 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  OwnServer Directory Traversal Vulnerability
------------------------------------------------------------------------

SUMMARY

OwnServer from <http://www.anteco.co.il> Anteco is a web server used for
watching security cameras remotely. It allows broadcasting live streaming
video over the web.

OwnServer is vulnerable to a classic directory traversal attack due to
inappropriate vailidity tests on the input URL.

DETAILS

Vulnerable Systems:
 * OwnServer version 1.0 and prior

The webserver performs filter tests and substitution in order to protect
itself from a directory traversal attack. The following patterns are
checked for and replaced with safe ones:

 * "//" is replaced by ""
 * "\." and "\.." are replaced by ""
 * "\" is replaced by "/"
 * "\\" is replaced by "//"

However, the classic "/../" pattern is for some reason not checked and
thus it can pass unfiltered and allow the remote attacker the ability to
view and download any file on the server's filesystem if the path to that
file is known.

Examples:

http://< host>/../../boot.ini
http://< host>/../../../boot.ini
http://< host>/../../../../boot.ini
http://< host>/../../../../../boot.ini
http://< host>/../../../../../../boot.ini

ADDITIONAL INFORMATION

The information has been provided by <mailto:the_insider@mail.com> Rafel
Ivgi, The-Insider

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Cisco Voice Products Vulnerabilities on IBM Servers"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]