Active WebCam Error Message File Existence Enumeration

2005-03-10T10:18:26
ID OSVDB:14641
Type osvdb
Reporter Sowhat(smaillist@gmail.com)
Modified 2005-03-10T10:18:26

Description

Vulnerability Description

Active WebCam contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when issuing a specially crafted URL, which causes the application to return an error message whether the file exists on the system or not resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Active WebCam contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when issuing a specially crafted URL, which causes the application to return an error message whether the file exists on the system or not resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]:8080/c:\nonexsit.txt

http://[victim]:8080/c:\boot.ini

References:

Vendor URL: http://www.pysoft.com Secunia Advisory ID:14553 Related OSVDB ID: 14638 Related OSVDB ID: 14640 Related OSVDB ID: 14639 Related OSVDB ID: 14642 Other Advisory URL: http://secway.org/advisory/ad20050104.txt Mail List Post: http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032334.html ISS X-Force ID: 19654 CVE-2005-0733 Bugtraq ID: 12778