CVE-2013-4861
Description
Directory traversal vulnerability in cgi-bin/cmh/get_file.sh in MiCasaVerde VeraLite with firmware 1.5.408 allows remote authenticated users to read arbirary files via a .. (dot dot) in the filename parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory traversal in MiCasaVerde VeraLite firmware 1.5.408 allows authenticated remote attackers to read arbitrary files via a .. in the filename parameter.
Vulnerability
A path traversal vulnerability exists in the cgi-bin/cmh/get_file.sh script of MiCasaVerde VeraLite firmware version 1.5.408. The script does not properly sanitize the filename parameter, allowing an attacker to use .. sequences to escape the intended directory and read arbitrary files on the system. However, the directory used by the script must exist for the traversal to succeed; on a fresh device this directory does not exist, but it can be created by first calling cgi-bin/cmh/store_file.sh?store_file=test [1][2].
Exploitation
An attacker must be an authenticated user (either admin or guest) on the VeraLite. The attack can be performed locally on the local network or remotely via the internet-based control panel at cp.mios.com when logged in. The attacker first creates the required directory by sending a GET request to store_file.sh with a dummy filename. Then, they send a GET request to get_file.sh with a filename parameter containing ../ sequences to traverse to the target file, e.g., ../../../../../etc/passwd [1][2].
Impact
Successful exploitation allows the attacker to read the contents of any file on the system. This includes sensitive files such as /etc/passwd, which contains hashed root passwords and, if remote access is configured, the tech support remote access password. Disclosure of these credentials could lead to further compromise of the device or network [1][2].
Mitigation
No official fix has been identified in the available references. The vendor may have released a firmware update after the advisory date (August 2013), but no specific patched version is mentioned. Users should consider isolating the VeraLite from untrusted networks, restricting access to the web interface, or upgrading to a newer model if available. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- MiCasaVerde/VeraLitedescription
- Range: =1.5.408
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in get_file.sh allows `..` directory traversal sequences in the filename parameter."
Attack vector
An authenticated remote attacker sends a GET request to `/cgi-bin/cmh/get_file.sh` with a `filename` parameter containing `../` sequences, e.g. `filename=../../../../../etc/passwd` [ref_id=1][ref_id=2]. On a newly unboxed device the initial path component may not exist, so the attacker first creates the required directory by calling `/cgi-bin/cmh/store_file.sh?store_file=test` [ref_id=1][ref_id=2]. The attack can also be launched through the Internet-based control panel at cp.mios.com when logged in as either an admin or guest [ref_id=1][ref_id=2].
Affected code
The vulnerable script is `/cgi-bin/cmh/get_file.sh` on the MiCasaVerde VeraLite (firmware 1.5.408). The advisory does not show the script's source code, but the bug is in how it handles the `filename` parameter — it fails to strip or reject `..` sequences, allowing directory traversal outside the intended directory [ref_id=1][ref_id=2].
What the fix does
No patch is included in the advisory. The vendor was notified by Trustwave SpiderLabs but the advisory does not state whether a fix was released [ref_id=1][ref_id=2]. To remediate, the `get_file.sh` script must validate the `filename` parameter by rejecting or canonicalizing `..` sequences so that the resulting path cannot escape the intended directory.
Preconditions
- authAttacker must be an authenticated user (admin or guest) on the VeraLite or on the cp.mios.com control panel
- inputOn a newly unboxed device, the attacker must first call store_file.sh to create the required directory
- networkNetwork access to the VeraLite's web interface or to cp.mios.com
Reproduction
1. If the device is newly unboxed, first create the required directory: `GET http://A.B.C.D/cgi-bin/cmh/store_file.sh?store_file=test` [ref_id=1][ref_id=2]. 2. Send the path traversal request: `GET http://A.B.C.D/cgi-bin/cmh/get_file.sh?filename=../../../../../etc/passwd` [ref_id=1][ref_id=2]. 3. The contents of `/etc/passwd` are returned in the response.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- packetstormsecurity.com/files/122654/MiCasaVerde-VeraLite-1.5.408-Traversal-Authorization-CSRF-Disclosure.htmlmitrex_refsource_MISC
- www.exploit-db.com/exploits/27286mitrex_refsource_MISC
- www3.trustwave.com/spiderlabs/advisories/TWSL2013-019.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.