JVN#33593387
KDDI sample CGI download program directory traversal vulnerability
Overview
A directory traversal vulnerability exists in a sample CGI download program included with KDDI's EZFactory.
Products Affected
- Sample CGI download program
Description
A sample CGI download program is included with KDDI's EZFactory for downloading and saving data such as images and ringtones to EZweb compatible cellular phones. A directory traversal vulnerability exists in this program.
Impact
A remote anauthenticated attacker could access files on the server where this sample CGI download program is installed. This could lead to unintentional disclosure of file contents.
Solution
Update the Software
Please update to the version with CGI download security provided by the vendor.
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2007.07.09
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | Routed - can be attacked over the Internet using packets |
|
| Authentication | None - anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | None - the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | Low - little to no expertise and/or luck required to exploit (cross-site scripting) |
|
Credit
Hiromitsu Takagi reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |
JVNDB-2007-000494 |