[原文]Directory traversal vulnerability in ComGetLogFile.php3 for TrackerCam 5.12 and earlier allows remote attackers to read arbitrary files via ".." sequences and (1) "/" slash), (2) "\" (backslash), or (3) hex-encoded characters in the fn parameter.
TrackerCam ComGetLogFile.php3 fm Parameter Traversal Arbitrary File Access
Remote / Network Access
Loss of Confidentiality
TrackerCam contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the ComGetLogFile.php3 script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "fn" parameter.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.