Summary
This host has D-link IP Camera and is
prone to multiple vulnerabilities.
Impact
Successful exploitation will allow remote
attackers to disclose the software's installation path resulting in a loss of confidentiality and gain access to arbitrary files.
Impact Level: Application
Solution
No solution or patch is available as of
20th February, 2015. Information regarding this issue will updated once the solution details are available.
For updates refer to http://www.dlink.com
Insight
Flaws are due to,
- The /cgi-bin/sddownload.cgi script not properly sanitizing user input, specifically path traversal style attacks (e.g. '../') supplied via the 'file' parameter.
- An input passed via the /cgi-bin/sddownload.cgi script to the 'file' parameter is not properly sanitized.
Affected
D-link IP camera DCS-2103 with firmware 1.0.0
Detection
Send a crafted HTTP GET request and check
whether it is able to download the system files.
References
Severity
Classification
-
CVE CVE-2014-9234, CVE-2014-9238 -
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- AbanteCart Multiple Cross-Site Scripting Vulnerabilities
- Aker Secure Mail Gateway Cross-Site Scripting Vulnerability
- Apple Safari Multiple Vulnerabilities
- AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
- Apache Struts CookBook/Examples Multiple Cross-Site Scripting Vulnerabilities