lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1093480653_110292@mail.cableone.net>
Date: Wed, 25 Aug 2004 19:54:46 -0500
From: "GulfTech Security" <security@...ftech.org>
To: <bugtraq@...urityfocus.com>
Subject: Keene Digital Media Server Directory Traversal


##########################################################
# GulfTech Security Research	          August, 25th 2004
##########################################################
# Vendor  : Keene Software
# URL     : http://www.keenesoftware.com
# Version : Keene Digital Media Server 1.0.2
# Risk    : Directory Traversal Vulnerability
##########################################################

Description:
Keene Digital Media Server is an easy and affordable way to 
share all things digital with friends, family, and customers 
over your broadband connection. DMS turns your computer into 
a highly secure Web server that automatically converts your 
files and folders into Web pages, thumbnails, and media shows 
with no Web programming required. Integrated user and file 
access security management provide the ultimate control over 
your content.


Directory Traversal Vulnerability:
Not too long ago I saw there was a directory traversal vuln
found in Keene Digital Media Server. it was fixed by the
developers, but

http://localhost/%2E%2E%5Csystem.log

It seems that only ../ and %2E%2E/ were filtered out. If you
hex encode the backslash or use a forward slash you can then
traverse out of the web directory. For example I am able to
grab the server log file with the above request.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00046-08252004



Solution:
I contacted the developers but never received a response.



Credits:
James Bercegay of the GulfTech Security Research Team





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ