[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal
From:       ddivulnalert <ddivulnalert () ddifrontline ! com>
Date:       2012-04-26 17:44:36
Message-ID: 89976E02-614C-4C59-ACEA-71306A6C9F9B () ddifrontline ! com
[Download RAW message or body]

Title
-----
DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal

Severity
--------
High

Date Discovered
---------------
March 8, 2012

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: shmoov and r@b13$

Vulnerability Description
-------------------------
The ACTi Web Configurator 3.0 for ACTi IP Surveillance Cameras contains a directory traversal \
vulnerability within the cgi-bin directory. An unauthenticated remote attacker can use this \
vulnerability to retrieve arbitrary files that are located outside the root of the web server.

Solution Description
--------------------
The production of the cameras employing this version of the ACTi Web Configurator have been \
discontinued. However, a firmware upgrade which addresses the issue is available for download \
from the ACTi support team. Please contact the ACTi support team to retrieve the firmware \
upgrade and instructions on how to apply the changes.

Tested Systems / Software
-------------------------
ACTi Web Configurator 3.0 - camera version unknown

Vendor Contact
--------------
Vendor Name: ACTi Corporation | http://www.acti.com/corporate/Brief.asp
Vendor Website: http://www.acti.com/home/index.asp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]