Infosec.20000229.axisstorpointcd.a

From: Vitek, Ian (ian.vitekat_private)
Date: Tue Feb 29 2000 - 05:18:54 PST

Next message: Morten Welinder: "xterm log file vulnerability"

Previous message: 3APA3A: "IIS dosn't check existance of local file before calling CGI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Infosec Security Vulnerability Report
No: Infosec.20000229.axisstorpointcd.a
======================================

Vulnerability Summary
---------------------

Problem: Bypassing authentication on Axis StorPoint CD;
               By modifying an URL, outsiders can access
               administrator URLs without entering username
               and password

Threat: Unauthorized access

Platform: Axis StorPoint CD
          Axis StorPoint CD/T
               (Software Version 4.13)

Solution: Upgrade to Software Version 4.28


Vulnerability Description
-------------------------
CDs are available from the URL http://server/cd/
The configuration URL is:
http://server/config/html/cnf_gi.htm
This page is protected by a login and could contain very sensitive information.
The login could be bypassed by the URL:
http://server/cd/../config/html/cnf_gi.htm

The server seems to check access permissions before URL conversion.

Solution
--------
Infosec and Axis recommends customers to upgrade their StorPoint Software. The
current version is 4.28 and is not vulnerable to this attack.
http://www.se.axis.com/techsup/cdsrv/storpoint_cd/index.html

Additional Information
----------------------
The Axis StorPoint CD and StorPoint CD/T with Software Version 4.13 are old
products with old software (from 1997). As Axis says:
"Note that the development for StorPoint CD and CD/T has been discontinued from
November 1999, only minor service releases will be available."
Axis has tested their new products, Axis StorPoint CD E100 and StorPoint NAS
100, and this vulnerability was not been found.

Recognition
-----------
Infosec would like to thank Peter Berggren and Johan Diedrichs at Axis for their
involvement with testing and supplying patch information.

//Ian Vitek
ian.vitekat_private

-------------------------------
Infosec is a Swedish based tigerteam that has worked with computer-related
security since 1982 and done penetration tests and technical revisions since
1996. Infosec is now searching for co-workers. Call Blume on +46-8-6621070 for
more information.

Next message: Morten Welinder: "xterm log file vulnerability"
Previous message: 3APA3A: "IIS dosn't check existance of local file before calling CGI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:20 PDT