DDIVRT-2013-50 EverFocus EPARA264-16X1 Directory Traversal

Title

DDIVRT-2013-50 EverFocus EPARA264-16X1 Directory Traversal

Severity

High

Date Discovered

January 22, 2013

Discovered By

Digital Defense, Inc. Vulnerability Research Team
Credit: r@b13$

Vulnerability Description

The EverFocus EPARA264-16X1 DVR allows unauthenticated remote users to
retrieve arbitrary system files that are located outside of the web
root through a directory traversal on port 80.

Solution Description

EverFocus has provided a solution for this security issue in the form
of a firmware upgrade. EPARA264-16X1 devices with firmware version
1.0.3 or later are not affected by the security issue. The firmware
update is available from EverFocus technical support.

Tested Systems / Software

EverFocus EPARA264-16X1 Firmware Version 1.0.2

Vendor Contact

Vendor Name: EverFocus

Vendor Website: http://www.everfocus.com/