iphone/ipod discover the File Manager web service directory traversal vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201027296
Type myhack58
Reporter 佚名
Modified 2010-06-20T00:00:00


from:Xeye Team

discover is an iphone/ipod touch platform on the popular file Manager, can read pdf/office/txt format files

And via wifi to share these files, a detailed description look at this: http://itunes.apple.com/us/app/discover/id292416855?mt=8#

Vulnerability analysis

When the wifi environment of the iphone/ipod touch users open the discover, it will automatically turn on remote web Access, the web interface is flash-made file management interface as in the following figure, and discover there are two directories: Private and Public, in the“settings” - >“file security settings”you can set web Access Password Authentication Type for HTTP Digest, but only to protect Private directory.


Due to discover a web Service of some of the api interface does not strictly authenticate the user to access and there is a directory traversal vulnerability, an attacker use the web Services api can access iphone/ipod mobile user permissions on any directory with the file, and you can remove mobile permissions to delete the file.


1, First of all we have to list the directory:


2, The Read file contents, although I know that our permission is only for mobile, but Read access is still very wide:


There is also a delete api:

Vulnerability vendor