Security Advisory 05 – 010 – Directory Traversal Vulnerability and Cross Site Scripting Issue
Vulnerability discovery and development:
Portcullis Security Testing Service
Emotion MediaPartner Web Server Version 5.0 (5.1 not confirmed)
The MediaPartner 5.0 web-server is vulnerable to directory traversal. By specifying an HTTP request containing the string ‘../’ an attacker can gain access to files outside of the intended web-published file system directory.
The directory-browsing page generated by the directory traversal vulnerability is vulnerable to URL cross-site scripting vulnerability.
This allows an attacker to gain access to any file on the drive the web-published file system is installed to.
An attacker can craft a URL that contains malicious code. When a victim follows the URL the malicious code is executed by their browser.
No exploit Code required.