[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] DDIVRT-2008-17 Orb Directory Traversal

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] DDIVRT-2008-17 Orb Directory Traversal
From: "DDI_Vulnerability_Alert" <DDI.VulnerabilityAlert@xxxxxxxxxxxxxxxx>
Date: Thu, 6 Nov 2008 13:59:22 -0600

Title

-----

DDIVRT-2008-17 Orb Directory Traversal

 

Severity

--------

High

 

Date Discovered

---------------

October, 21st 2008

 

Discovered By

-------------

Digital Defense, Inc. Vulnerability Research Team

Credit: Steven James and r@b13$

 

Vulnerability Description

-------------------------

Orb Networks' Orb media server is vulnerable to directory traversal
attacks.  Users can leverage specially crafted GET requests to read
arbitrary files. 

 

Solution Description

--------------------

Use firewall rules to restrict access to authorized users of the Orb
server.

This issue is fixed in version 2.01.0022 available at

      http://www.orb.com/download/us/setup_2.01.0022.exe
<http://www.orb.com/download/us/setup_2.01.0022.exe>  

 

Tested Systems / Software (with versions)

------------------------------------------

Orb version 2.01.0017 on Windows XP Pro SP2

Nullsoft Winamp Remote Server Beta (featuring Orb version 2.01.0013) on
Windows XP Pro SP2

 

Vendor Contact

--------------

Orb Networks

Website: http://www.orb.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] [TKADV2008-012] VLC media player cue Processing Stack Overflow Vulnerability
Next by Date: [Full-disclosure] [USN-665-1] Netpbm vulnerability
Previous by thread: [Full-disclosure] [TKADV2008-012] VLC media player cue Processing Stack Overflow Vulnerability
Next by thread: [Full-disclosure] [USN-665-1] Netpbm vulnerability
Index(es):
- Date
- Thread