An unauthenticated
directory traversal vulnerability exists in get_fcont.cgi in GeoVision
GV-LPC2011 and GV-LPC2211 V1.12 and earlier. The vulnerability is caused by
insufficient validation of user-supplied file path input before the requested
file is accessed by the CGI component. A remote attacker may exploit this
vulnerability by sending a crafted request to read arbitrary files accessible
to the affected process, resulting in information disclosure.
Credits
Jincheng Wang (@winmt), Professor Le Yu of Nanjing University of Posts and Telecommunications, and Professor Xiapu Luo of The Hong Kong Polytechnic University has reported:
