Published:2007/07/09  Last Updated:2008/05/21

KDDI sample CGI download program directory traversal vulnerability


A directory traversal vulnerability exists in a sample CGI download program included with KDDI's EZFactory.

Products Affected

  • Sample CGI download program


A sample CGI download program is included with KDDI's EZFactory for downloading and saving data such as images and ringtones to EZweb compatible cellular phones. A directory traversal vulnerability exists in this program.


A remote anauthenticated attacker could access files on the server where this sample CGI download program is installed. This could lead to unintentional disclosure of file contents.


Update the Software
Please update to the version with CGI download security provided by the vendor.

Vendor Status

Vendor Status Last Update Vendor Notes
KDDI CORPORATION Vulnerable 2007/07/09


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2007.07.09

Measures Conditions Severity
Access Required Routed - can be attacked over the Internet using packets
  • High
Authentication None - anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required None - the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity Low - little to no expertise and/or luck required to exploit (cross-site scripting)
  • High

Description of each analysis measures


Hiromitsu Takagi reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
JVN iPedia JVNDB-2007-000494

Update History