| VID |
22460 |
| Severity |
30 |
| Port |
3689,9999 |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Firefly Media Server is vulnerable to a partial directory traversal vulnerability. Firefly Media Server (previously known as Multi-Threaded DAAP Daemon - mt-daapd) is a media streaming server. Firefly Media Server version 0.2.4.1 and earlier versions are vulnerable to a partial directory traversal vulnerability. By sending a specially-crafted HTTP GET request containing "dot dot dot" sequences (/.../), a remote attacker could view arbitrary files in the parent directory of the Firefly's 'admin-root' folder, including the application's configuration file.
* References:
http://www.securityfocus.com/archive/1/484763/30/0/threaded
http://aluigi.altervista.org/adv/fireflyz-adv.txt
* Platforms Affected:
Firefly Media Server version SVN 1699 and earlier versions
Firefly Media Server version 0.2.4.1 and possibly other versions
Linux Any version |
| Recommendation |
No upgrade or patch available as of April 2008.
Upgrade to a fixed version of Firefly Media Server (mt-daapd), when new fixed version becomes available from the FireFly Media Server Download Web page at http://www.fireflymediaserver.org/download.php |
| Related URL |
(CVE) |
| Related URL |
26770 (SecurityFocus) |
| Related URL |
38842,38844 (ISS) |
|
