DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal Apr 26 2012 05:44PM
ddivulnalert ddifrontline com
DDIVRT-2012-41 ACTi Web Configurator cgi-bin Directory Traversal


Date Discovered
March 8, 2012

Discovered By
Digital Defense, Inc. Vulnerability Research Team
Credit: shmoov and r@b13$

Vulnerability Description
The ACTi Web Configurator 3.0 for ACTi IP Surveillance Cameras contains a directory traversal vulnerability within the cgi-bin directory. An unauthenticated remote attacker can use this vulnerability to retrieve arbitrary files that are located outside the root of the web server.

Solution Description
The production of the cameras employing this version of the ACTi Web Configurator have been discontinued. However, a firmware upgrade which addresses the issue is available for download from the ACTi support team. Please contact the ACTi support team to retrieve the firmware upgrade and instructions on how to apply the changes.

Tested Systems / Software
ACTi Web Configurator 3.0 - camera version unknown

Vendor Contact
Vendor Name: ACTi Corporation | http://www.acti.com/corporate/Brief.asp
Vendor Website: http://www.acti.com/home/index.asp

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus