<<< Date Index >>>     <<< Thread Index >>>

Directory traversal and XSS in Active Webcam <= 4.3



#######################################################################

                             Luigi Auriemma

Application:  Active Webcam
              http://www.pysoft.com/ActiveWebCamMainpage.htm
Versions:     <= 4.3 before 17 Dec 2003
Platforms:    Windows
Bugs:         directory traversal and cross site scripting
Risk:         high
Exploitation: remote with browser
Date:         19 Dec 2003
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Active WebCam is a shareware program for capturing and sharing the
video streams from a lot of video devices.



#######################################################################

=======
2) Bugs
=======


The application has a built-in webserver to share the captured video
stream and it is vulnerable to a simple directory traversal (classical
"../" and "..\") letting an attacker to see and download all the files
in the remote system if he know their paths.

The second bug instead is a cross site scripting bug on error pages, in
fact the user's input is not filtered and is shown in the returned page
(example: "The requested URL /<script> was not found on this server.").



#######################################################################

===========
3) The Code
===========


A] Directory traversal bug:

http://server:8080/../../../windows/system.ini
http://server:8080/..\..\..\windows/system.ini


B] Cross site scripting:

http://server:8080/<script>alert('XSS example');</script>



#######################################################################

======
4) Fix
======


The vendor has quickly released a patched package but the version
number has not been changed and there are no news on the website about
the new package.
That means the users can't know that exists a new version of the
program and moreover that the new version fixes important bugs.

The new version has been released exactly the 17 Dec 2003 so all the
previous versions are vulnerables.
The only three methods to know if the own version is the old are to
test it or to check if the size of WebCam.exe version 4.3 is 1438720
bytes (size of the patched executable) or simply checking its date.



#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org