Yawcam 0.6.0 Directory Traversal

`Directory traversal vulnerability in Yawcam webcam server  
=========================================================  
  
Overview  
--------  
Affected Versions: Yawcam 0.2.6 through 0.6.0  
Patched Versions: Yawcam 0.6.1  
Vendor: Yawcam  
Vendor URL: http://www.yawcam.com  
CVE: CVE-2017-17662  
Credit: David Panter, Global Relay CSOC  
Status: Public  
Public disclosure URL: http://www.yawcam.com/news.php  
  
Summary  
-------  
By sending a specially crafted HTTP GET request a remote attacker can read arbitrary files on the target computer under the privileges of the Yawcam software or service.  
  
Product Description  
-------------------  
Yawcam is a free webcam software with an integrated HTTP server and wide variety of features.  
  
Severity Rating: High  
  
Vulnerability description  
-------------------------  
The Yamcam HTTP server contains a directory traversal vulnerability that allows attacker to read arbitrary files through a sequence in the form '.x./' or '....\x/' where x is a pattern composed of one or more (zero or more for the second pattern) of either \ or ..\ for example '.\./', '....\/' or '...\./'.  
  
For files with no extension a single dot needs to be appended to ensure the HTTP server does not alter the request.  
  
POC  
---  
By sending the following string to the Yawcam HTTP server we can read the hosts file from the target machine  
"GET /.\./.\./.\./.\./.\./.\./.\./windows/system32/drivers/etc/hosts."  
  
Timeline  
--------  
2017-12-12 Vulnerability discovered  
2017-12-13 Vendor contacted  
2017-12-13 CVE ID assigned  
2017-12-15 Vendor reply  
2017-12-18 Fixed version released  
2017-12-18 Vendor disclosed vulnerability  
`