Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal

From: ddivulnalert <ddivulnalert () ddifrontline com>
Date: Thu, 26 Apr 2012 12:44:36 -0500
Title
-----
DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal

Severity
--------
High

Date Discovered
---------------
March 8, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: shmoov and r@b13$

Vulnerability Description
-------------------------
The ACTi Web Configurator 3.0 for ACTi IP Surveillance Cameras contains a directory traversal vulnerability within the 
cgi-bin directory. An unauthenticated remote attacker can use this vulnerability to retrieve arbitrary files that are 
located outside the root of the web server.

Solution Description
--------------------
The production of the cameras employing this version of the ACTi Web Configurator have been discontinued. However, a 
firmware upgrade which addresses the issue is available for download from the ACTi support team. Please contact the 
ACTi support team to retrieve the firmware upgrade and instructions on how to apply the changes.

Tested Systems / Software
-------------------------
ACTi Web Configurator 3.0 - camera version unknown

Vendor Contact
--------------
Vendor Name: ACTi Corporation | http://www.acti.com/corporate/Brief.asp
Vendor Website: http://www.acti.com/home/index.asp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: