Vulnerability

    HomeSeer

Affected

    HomeSeer prior to 1.4.29

Description

    Following is based on a SNS Research Security Advisory.   HomeSeer
    is home automation software for Windows 2000, Windows NT,  Windows
    98, and Windows 95 that uses inexpensive X10 technology to control
    your lights, appliances, and  audio/video equipment.  A  webserver
    is build in, allowing you  to even remote control your  appliances
    over the Internet.

    Adding the  string "../"  to an  URL allows  an attacker  to files
    outside of the webserver's publishing directory.  This allows read
    access to any file on the server.  Example:

        http://localhost:80/../../../autoexec.bat

    reads the file "autoexec.bat" from the partition's root dir.

Solution

    Vendor has been  notified and has  acknowledged this problem.   It
    has  been  fixed  in  the  1.4.29  (beta-)version  of the HomeSeer
    software which is availble from

        http://www.keware.com/kewarebeta.htm

    and will be included in the  future 1.5 release.  This was  tested
    against  HomeSeer  1.4.   Older   versions  can  be  expected   to
    vulnerable, users are encouraged to upgrade.