[NT] Keene Digital Media Server Directory Traversal

From: SecuriTeam (support_at_securiteam.com)
Date: 08/30/04

  • Next message: SecuriTeam: "[EXPL] Citadel/UX Remote Buffer Overflow Exploit" 
    To: list@securiteam.com
Date: 30 Aug 2004 17:05:54 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Keene Digital Media Server Directory Traversal
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.keenesoftware.com> Keene Digital Media Server is "an easy and
    affordable way to share all things digital with friends, family, and
    customers over your broadband connection. DMS turns your computer into a
    highly secure Web server that automatically converts your files and
    folders into Web pages, thumbnails, and media shows with no Web
    programming required. Integrated user and file access security management
    provide the ultimate control over your content".

    A directory traversal is possible on the DMS due to a problem in the way
    the server handles encoded URLs.

    DETAILS

    Vulnerable Systems:
     * Keene DMS version 1.0.2

    Although the developers recently fixed a directory traversal vulnerability
    in this product it is still possible to perform directory traversal and
    view arbitrary files on the system running the server. The following
    example illustrates this:

    http://localhost/%2E%2E%5Csystem.log

    It is clearly evident that only ../ and %2E%2E/ were filtered out. If you
    hex encode the backslash or use a forward slash you can then traverse out
    of the web directory. For example I am able to grab the server log file
    with the above request.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@gulftech.org>
    GulfTech Security.
    The original article can be found at:
    <http://www.gulftech.org/?node=research&article_id=00046-08252004>
    http://www.gulftech.org/?node=research&article_id=00046-08252004

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] Citadel/UX Remote Buffer Overflow Exploit"

    Relevant Pages