SOUND4 Impact, First, Pulse, and Eco Unauthenticated Directory Traversal Vulnerability Allowing Arbitrary File Write

A directory traversal vulnerability has been identified in SOUND4 products, specifically in the IMPACT, FIRST, PULSE, and Eco versions through 2.x. This vulnerability allows remote attackers to write arbitrary files by exploiting the 'upgfile' parameter in 'upload.cgi'. The issue arises from inadequate validation of input, enabling attackers to send crafted multipart form-data POST requests that include directory traversal sequences, directing files to unintended locations on the system.

Impact

Exploitation of this vulnerability could lead to unauthorized file writes, potentially overwriting critical system files or introducing malicious payloads that could be executed on the server.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'upload.cgi' script with the 'upgfile' parameter. The request must include directory traversal sequences to navigate out of the intended upload directory and into a location where the attacker can write files. This can be done using a multipart form-data content type, which is commonly used for file uploads.