Cisco Content Delivery System Internet Streamer Directory Traversal Vulnerability

Original Issue Date: July 26, 2010

Severity Rating: Medium

Systems Affected

• Cisco Content Delivery System versions prior to 2.5.7

Overview

A vulnerability has been reported in Cisco Content Delivery System, which can be exploited by malicious people to disclose sensitive information.

Description

The Cisco Content Delivery System (CDS) is an integrated system with a network-based architecture that transcends existing streaming solutions. It incorporates both TV streaming applications for content delivery to digital televisions and set-top boxes (STBs) as well as Internet streaming applications for content delivery to IP-enabled devices such as PCs and Wi-Fi-connected mobile phones.

A Directory Traversal Vulnerability exists because of an input validation error in the Cisco Internet Streamer web server component when processing HTTP requests. A remote could exploit this vulnerability by sending a specially crafted URL to view arbitrary files on the device outside the web server document directory, including password files and system logs.

Solution

Apply appropriate software fixes as mentioned in Cisco Security Advisory

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20100721-spcdn.shtml

References

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20100721-spcdn.shtml

Security Tracker
http://securitytracker.com/alerts/2010/Jul/1024234.html

VUPEN
http://www.vupen.com/english/advisories/2010/1881

Secunia
http://secunia.com/advisories/40701/

CVE Name
CVE-2010-1577

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.