CVE-2018-25311

Vulnerability

Overview

VideoFlow Digital Video Protection (DVP) version 2.10 contains an authenticated directory traversal vulnerability. The root cause is insufficient validation of user-supplied input passed to the ID parameter in several Perl scripts, including downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, and downloadFile.pl. Attackers can inject path traversal sequences (e.g., ../) to read arbitrary files from the server's filesystem [1][2][3].

Exploitation

An attacker must first authenticate to the DVP web interface. Once authenticated, they can craft HTTP requests to the affected scripts with a malicious ID parameter containing directory traversal payloads. The scripts then serve the requested file with a Content-Disposition header, enabling the attacker to download sensitive system files such as /etc/passwd [2][3]. Notably, the session does not expire, which may facilitate prolonged exploitation [2].

Impact

Successful exploitation allows an authenticated attacker to disclose arbitrary files on the DVP appliance. This could expose configuration files, credentials, or other sensitive data, potentially leading to further compromise of the device or the network it protects [1][2][3].

Mitigation

As of the publication date, no official patch has been confirmed for this vulnerability. Users of VideoFlow DVP 2.10 should restrict network access to the management interface and monitor for unauthorized file access attempts. Given the lack of vendor response noted in the advisory, upgrading to a newer version or applying workarounds such as input validation filters may be necessary [1][2][3].