[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] DDIVRT-2012-40 PacketVideo TwonkyServer and TwonkyMedia Directory Traversal
From:       ddivulnalert <ddivulnalert () ddifrontline ! com>
Date:       2012-04-26 17:31:49
Message-ID: C1FA68A0-192A-487A-8087-73A67C463161 () ddifrontline ! com
[Download RAW message or body]

Title
-----
DDIVRT-2012-40 PacketVideo TwonkyServer and TwonkyMedia Directory Traversal

Severity
--------
High

Date Discovered
---------------
March 12, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description
-------------------------
Multiple PacketVideo products contain a directory traversal vulnerability w=
ithin the web server that is running on port 9000. These products are vulne=
rable to the attack regardless of having configured the =93Secured Server S=
ettings=94 which are available on the Advanced configuration page. Suscepti=
ble products include the Twonky 7.0 Special and the TwonkyManager 3.0.

An unauthenticated remote attacker can use this vulnerability to retrieve a=
rbitrary files that are located outside the root of the web server.

Solution Description
--------------------
PacketVideo has addressed the issue. Contact the vendor for the software up=
date.

Tested Systems / Software
-------------------------
Twonky 7.0 Special on Windows Vista
TwonkyManager 3.0 on Windows Vista

Vendor Contact
--------------
Vendor Name: PacketVideo Corporation | http://www.pv.com/
Vendor Website: http://twonky.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]