TITLE: Keene Digital Media Server Multiple Vulnerabilities SECUNIA ADVISORY ID: SA12272 VERIFY ADVISORY: http://secunia.com/advisories/12272/ CRITICAL: Moderately critical IMPACT: Security Bypass, Exposure of sensitive information WHERE: >From remote SOFTWARE: Keene Digital Media Server 1.x http://secunia.com/product/3778/ DESCRIPTION: Ziv Kamir has reported some vulnerabilities in Keene Digital Media Server, which can be exploited by malicious people to retrieve sensitive information and perform administrative tasks. 1) Keene Digital Media Server stores passwords in clear text in the file "dmscore.db" in the installatio directory. This may disclose sensitive information to malicious local users. 2) An input validation error within the processing of HTTP requests can be exploited to retrieve arbitrary files via directory traversal attacks where the URL encoded representation of the "../" character sequence is used. Example: http://[victim]/dms/%2e%2e/%2e%2e/dmscore.db This can be exploited by malicious people in combination with the first vulnerability to gain knowledge of adminsitrative passwords. 3) It is possible to bypass the user authentication and perform adminsitrative tasks by accessing the script "/dms/adminusers.kspx" directly. The vulnerabilities have been reported in version 1.0.2. Other versions may also be affected. SOLUTION: The vendor has stated that the vulnerabilities will be fixed in an upcoming version 1.0.4. PROVIDED AND/OR DISCOVERED BY: Ziv Kamir ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet@packetstormsecurity.org ----------------------------------------------------------------------