Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: sstreamp.htm

SnapStream PVS builtin web server - 3 vulnerabilities

    Snapstream PVS


    Snapstream PVS


    Following  is  based  on   a  Interrorem  security   announcement.
    Snapstream PVS is a Personal Video System for Windows Systems.  It
    allows users to schedule recordings  on their PC and to  view them
    later at the  leisure, at their  local machine or  across a TCP/IP
    network via an HTTP interface.

    Typically, the Snapstream HTTP interface runs on TCP port 8129.

    Issue 1: Directory traversal bug
    It is  possible to  navigate outside  of the  HTTP base directory,
    and download  any file  from the  host for  which the  filename is
    known.  The HTTP server runs in the context of the logged in user.

    Any files on the target system are available to an attacker.

    Issue 2: SSD.ini
    SSD.ini, which contains a great deal of information regarding  the
    target system can be retrieved remotely using the method  detailed
    above.  Example:

    Information  included  in  the  ini  file  includes base directory
    location, usernames, and passwords.

    Issue 3: Passwords are stored as plaintext in SSD.INI
    Passwords to the SnapStream PVS software are recoverable  remotely
    using the method detailed in Issue 2.


    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH