Snapstream Personal Video Station is an application for Microsoft Windows which allows users to record video output on their PC and view it at a later time, locally or via an HTTP interface. The Snapstream PVS web interface runs on port 8129.
Snapstream PVS is prone to attacks which allow a remote user to break out of the wwwroot and browse the filesystem at large. The remote attacker may accomplish this by crafting a web request which uses '../' sequences to traverse directories and access arbitrary web-readable files.
The impact of exploiting this vulnerability is that confidential information may be disclosed to the attacker and follow-up attacks against the host may occur.
If exploited conjunction with Bugtraq ID 3101, a remote attacker can gain the administrative password for Snapstream.
Snapstream Personal Video Station (PVS) URI Traversal Arbitrary File Access
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
SnapStream PVS contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the server not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the URI.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.