Infosec Security Vulnerability Report
No: Infosec.20000207.axis700.a
=====================================
Vulnerability Summary
---------------------
Problem: Bypassing authentication on Axis 700 Network Scanner;
By modifying an URL, outsiders can access
administrator URLs without entering username
and password.
Threat: Unauthorized access.
Platform: Axis 700 Network Scanner Server
(Software Version 1.12)
Solution: Non? Se below.
Vulnerability Description
-------------------------
User pages are located under http://server/user/.
The URL to the configuration page is:
http://server/admin/this_axis700/this_axis700.shtml
This page is password protected. The actual configuration takes place on the
pages linked from this page. By changing the URL to:
http://server/user/../admin/this_axis700/this_axis700.shtml
gives an outsider access to the configuration page without entering username and
password. The server seems to check access permissions before URL conversion.
The server also decodes %1u to %2e (not a vulnerability).
Solution
--------
<<Quote_from_Axis_Support
Hi,,
You will find the latest version on http://www.axis.se/techsup
Best Regards
XXXXXX XXXXXXX
Quote_from_Axis_Support
Nothing says that version 1.14 will fix this vulnerability.
Other information
-----------------
Infosec recommends everyone to try to access their authorized pages with URLs
as:
http://server/NonPrivPage/../PrivPage/
Infosec thanks weld at l0pht for the inspiration
(http://www.l0pht.com/advisories/showcode.txt)
//Ian Vitek
ian.vitekat_private
-------------------------------
Infosec is a Swedish based tigerteam that have worked with computer-related
security since 1982 and done penetration tests and technical revisions since
1996. Infosec is now searching for co-workers. Call Blume on +46-8-6621070 for
more information.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:42 PDT