[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal
From: ddivulnalert@xxxxxxxxxxxxxxxx
Date: Thu, 26 Apr 2012 17:44:52 GMT

Title
-----
DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal

Severity
--------
High

Date Discovered
---------------
March 8, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: shmoov and r@b13$

Vulnerability Description
-------------------------
The ACTi Web Configurator 3.0 for ACTi IP Surveillance Cameras contains a 
directory traversal vulnerability within the cgi-bin directory. An 
unauthenticated remote attacker can use this vulnerability to retrieve 
arbitrary files that are located outside the root of the web server.

Solution Description
--------------------
The production of the cameras employing this version of the ACTi Web 
Configurator have been discontinued. However, a firmware upgrade which 
addresses the issue is available for download from the ACTi support team. 
Please contact the ACTi support team to retrieve the firmware upgrade and 
instructions on how to apply the changes.

Tested Systems / Software
-------------------------
ACTi Web Configurator 3.0 - camera version unknown

Vendor Contact
--------------
Vendor Name: ACTi Corporation | http://www.acti.com/corporate/Brief.asp
Vendor Website: http://www.acti.com/home/index.asp

Prev by Date: DDIVRT-2012-40 PacketVideo TwonkyServer and TwonkyMedia Directory Traversal
Next by Date: [ MDVSA-2012:066 ] mozilla
Previous by thread: DDIVRT-2012-40 PacketVideo TwonkyServer and TwonkyMedia Directory Traversal
Next by thread: [ MDVSA-2012:066 ] mozilla
Index(es):
- Date
- Thread