The Cisco Internet Streamer application, part of the Cisco Content Delivery System, contains a directory traversal vulnerability on its web server component that allows for arbitrary file access. By exploiting this vulnerability, an attacker may be able to read arbitrary files on the device, outside of the web server document directory, by using a specially crafted URL.
An unauthenticated attacker may be able to exploit this issue to access sensitive information, including the password files and system logs, which could be leveraged to launch subsequent attacks.
All versions of system software on the Cisco Internet Streamer application are vulnerable prior to the first fixed release, but Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available.
This vulnerability can be exploited over all open HTTP ports; TCP ports 80 (Default HTTP port), 443 (Default HTTPS port) and 8090 (Alternate HTTP and HTTPS port), as well as those that are configured as part of the HTTP proxy.
As an interim step prior to upgrading the Cisco content delivery system software, it is possible to deny access to sensitive directories via service rules. The following example shows denying access to move up a directory level. This also caters for other directory moves, such as “\.\./”, “.\./” or “\../”:
rule action block pattern-list 1
rule pattern-list 1 url-regex ^http://.*/../.*
rule pattern-list 1 url-regex ^https://.*/../.*
If you are affected by this issue or just want to read more please do it at http://www.cisco.com/warp/public/707/cisco-sa-20100721-spcdn.shtml.
One thought on “Web Server Directory Traversal Vulnerability in Cisco CDS”