Vigil@nce - Cisco Unity Connection: directory traversal via an attachment
November 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can traverse directories of Cisco Unity Connection, in
order to create a file outside the service root path.
Impacted products: Cisco Unity
Severity: 2/4
Creation date: 18/10/2013
DESCRIPTION OF THE VULNERABILITY
The Cisco Unity Connection (Voice Message Web Service) product can
be used to send a message with an attachment.
However, the attachment name is directly inserted in an access
path. Sequences such as "/.." can thus be used to go in the upper
directory, in order to create a file there.
An attacker can therefore traverse directories of Cisco Unity
Connection, in order to create a file outside the service root
path.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-Unity-Connection-directory-traversal-via-an-attachment-13620