[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] DDIVRT-2013-50 EverFocus EPARA264-16X1 Directory Traversal

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] DDIVRT-2013-50 EverFocus EPARA264-16X1 Directory Traversal
From: ddivulnalert <ddivulnalert@xxxxxxxxxxxxxxxx>
Date: Fri, 15 Mar 2013 09:44:07 -0500

Title
-----
DDIVRT-2013-50 EverFocus EPARA264-16X1 Directory Traversal

Severity
--------
High

Date Discovered
---------------
January 22, 2013

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description
-------------------------
The EverFocus EPARA264-16X1 DVR allows unauthenticated remote users to
retrieve arbitrary system files that are located outside of the web
root through a directory traversal on port 80.

Solution Description
--------------------
EverFocus has provided a solution for this security issue in the form
of a firmware upgrade. EPARA264-16X1 devices with firmware version
1.0.3 or later are not affected by the security issue. The firmware
update is available from EverFocus technical support.

Tested Systems / Software
-------------------------
EverFocus EPARA264-16X1 Firmware Version 1.0.2

Vendor Contact
--------------
Vendor Name: EverFocus 
Vendor Website: http://www.everfocus.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Skype Click to Call Update Service local privilege escalation
Next by Date: [Full-disclosure] [SECURITY] [DSA 2647-1] firebird2.1 security update
Previous by thread: [Full-disclosure] Skype Click to Call Update Service local privilege escalation
Next by thread: [Full-disclosure] [SECURITY] [DSA 2647-1] firebird2.1 security update
Index(es):
- Date
- Thread