DDIVRT-2008-15 iPhone Configuration Web Utility 1.0 for Windows Directory Traversal

[vulnerabilityresearch@xxxxxxxxxxxxxxxx]

Title
-----
DDIVRT-DDIVRT-2008-15 iPhone Configuration Web Utility 1.0 for Windows 
Directory Traversal

Severity
--------
High

Date Discovered
---------------
October 2, 2008

Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Corey LeBleu and r@b13$

Vulnerability Description
-------------------------
The iPhone Configuration Web Utility allows centralized management of iPhone 
configuration settings. The iPhone Configuration Web Utility 1.0 for Windows 
web interface is vulnerable to a common web directory traversal attack. 
Successful exploitation will result in arbitrary read-only file access outside 
of the iPhone Configuration Web Utility 1.0 web root.

Solution Description
--------------------
Filter network traffic so that only trusted users can access the web interface.

Tested Systems / Software (with versions)
------------------------------------------
Windows XP Professional
iPhone Configuration Web Utility 1.0 for Windows

Vendor Contact
--------------
Vendor Name: Apple Inc.
Vendor Website: www.apple.com