Details of VAR-200812-0308

ID

VAR-200812-0308

CVE

CVE-2008-5315

TITLE

Apple iPhone Configuration Web Utility for Windows Directory Traversal Vulnerability

Trust: 0.9

sources: BID: 32412 // CNNVD: CNNVD-200812-035

DESCRIPTION

Directory traversal vulnerability in the web interface in Apple iPhone Configuration Web Utility 1.0 on Windows allows remote attackers to read arbitrary files via unspecified vectors. Exploiting this issue will allow an attacker to view arbitrary local files within the context of the webserver. Information harvested may aid in launching further attacks. iPhone is a smart phone product released by Apple Inc. (Apple.Inc, formerly Apple Computer) at the global WWDC 07 conference on January 10, 2007. Remote attackers can read arbitrary files through unknown means. The vulnerability is caused due to an input validation error when processing HTTP GET requests. This can be exploited to download arbitrary files from the affected system via directory traversal attacks. Other versions may also be affected. SOLUTION: Restrict network access to the application. PROVIDED AND/OR DISCOVERED BY: Corey LeBleu and r@b13$ of Digital Defense, Inc. Vulnerability Research Team ORIGINAL ADVISORY: http://lists.grok.org.uk/pipermail/full-disclosure/2008-November/065822.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2008-5315 // JVNDB: JVNDB-2008-003690 // BID: 32412 // VULHUB: VHN-35440 // PACKETSTORM: 72252

AFFECTED PRODUCTS

vendor:	apple	model:	iphone configuration web utility	scope:	eq	version:	1.0	Trust: 2.4
vendor:	microsoft	model:	windows	scope:	-	version:	-	Trust: 0.8
vendor:	apple	model:	iphone configuration web utility for windows	scope:	eq	version:	1.0	Trust: 0.3
vendor:	apple	model:	iphone configuration utility for windows	scope:	ne	version:	1.1	Trust: 0.3

sources: BID: 32412 // JVNDB: JVNDB-2008-003690 // CNNVD: CNNVD-200812-035 // NVD: CVE-2008-5315

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2008-5315
value:	HIGH
Trust: 1.0
NVD:	CVE-2008-5315
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200812-035
value:	HIGH
Trust: 0.6
VULHUB:	VHN-35440
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2008-5315
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-35440
severity:	HIGH
baseScore:	7.8
vectorString:	AV:N/AC:L/AU:N/C:C/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	6.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-35440 // JVNDB: JVNDB-2008-003690 // CNNVD: CNNVD-200812-035 // NVD: CVE-2008-5315

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-35440 // JVNDB: JVNDB-2008-003690 // NVD: CVE-2008-5315

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200812-035

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-200812-035

CONFIGURATIONS

sources: JVNDB: JVNDB-2008-003690

PATCH

title:	Safari	url:	http://www.apple.com/safari/	Trust: 0.8
title:	Top Page	url:	http://windows.microsoft.com/	Trust: 0.8

sources: JVNDB: JVNDB-2008-003690

EXTERNAL IDS

db:	NVD	id:	CVE-2008-5315	Trust: 2.8
db:	BID	id:	32412	Trust: 2.0
db:	SECUNIA	id:	32852	Trust: 1.8
db:	SREASON	id:	4681	Trust: 1.7
db:	JVNDB	id:	JVNDB-2008-003690	Trust: 0.8
db:	FULLDISC	id:	20081121 DDIVRT-DDIVRT-2008-15 IPHONE CONFIGURATION WEB UTILITY 1.0 FOR WINDOWS DIRECTORY TRAVERSAL	Trust: 0.6
db:	BUGTRAQ	id:	20081205 RE: DDIVRT-DDIVRT-2008-15 IPHONE CONFIGURATION WEB UTILITY 1.0 FOR WINDOWS DIRECTORY TRAVERSAL	Trust: 0.6
db:	BUGTRAQ	id:	20081121 DDIVRT-2008-15 IPHONE CONFIGURATION WEB UTILITY 1.0 FOR WINDOWS DIRECTORY TRAVERSAL	Trust: 0.6
db:	XF	id:	46807	Trust: 0.6
db:	CNNVD	id:	CNNVD-200812-035	Trust: 0.6
db:	VULHUB	id:	VHN-35440	Trust: 0.1
db:	PACKETSTORM	id:	72252	Trust: 0.1

sources: VULHUB: VHN-35440 // BID: 32412 // JVNDB: JVNDB-2008-003690 // PACKETSTORM: 72252 // CNNVD: CNNVD-200812-035 // NVD: CVE-2008-5315

REFERENCES

url:	http://lists.grok.org.uk/pipermail/full-disclosure/2008-november/065822.html	Trust: 1.8
url:	http://www.securityfocus.com/bid/32412	Trust: 1.7
url:	http://archives.neohapsis.com/archives/bugtraq/2008-12/0061.html	Trust: 1.7
url:	http://secunia.com/advisories/32852	Trust: 1.7
url:	http://securityreason.com/securityalert/4681	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/498559/100/0/threaded	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/46807	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-5315	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-5315	Trust: 0.8
url:	http://xforce.iss.net/xforce/xfdb/46807	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/498559/100/0/threaded	Trust: 0.6
url:	http://support.apple.com/downloads/iphone_configuration_web_utility_1_0_for_windows	Trust: 0.3
url:	/archive/1/498559	Trust: 0.3
url:	/archive/1/498967	Trust: 0.3
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/product/20556/	Trust: 0.1
url:	http://secunia.com/advisories/business_solutions/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/32852/	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-35440 // BID: 32412 // JVNDB: JVNDB-2008-003690 // PACKETSTORM: 72252 // CNNVD: CNNVD-200812-035 // NVD: CVE-2008-5315

CREDITS

Corey LeBleu and r@b13$

Trust: 0.3

sources: BID: 32412

SOURCES

db:	VULHUB	id:	VHN-35440
db:	BID	id:	32412
db:	JVNDB	id:	JVNDB-2008-003690
db:	PACKETSTORM	id:	72252
db:	CNNVD	id:	CNNVD-200812-035
db:	NVD	id:	CVE-2008-5315

LAST UPDATE DATE

2025-04-10T23:16:33.220000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-35440	date:	2018-10-11T00:00:00
db:	BID	id:	32412	date:	2008-12-11T05:01:00
db:	JVNDB	id:	JVNDB-2008-003690	date:	2012-06-26T00:00:00
db:	CNNVD	id:	CNNVD-200812-035	date:	2009-01-29T00:00:00
db:	NVD	id:	CVE-2008-5315	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-35440	date:	2008-12-03T00:00:00
db:	BID	id:	32412	date:	2008-11-21T00:00:00
db:	JVNDB	id:	JVNDB-2008-003690	date:	2012-06-26T00:00:00
db:	PACKETSTORM	id:	72252	date:	2008-11-24T17:45:11
db:	CNNVD	id:	CNNVD-200812-035	date:	2008-11-21T00:00:00
db:	NVD	id:	CVE-2008-5315	date:	2008-12-03T17:30:00.493