Axis Video and Camera Servers - System log access and file access/overwrite via HTTP/CGI

From: Axis Product Security (product-securityat_private)
Date: Tue Mar 25 2003 - 06:30:35 PST

Next message: Daniel Ahlberg: "GLSA: stunnel (200303-24)"

Previous message: Roman Drahtmueller: "SuSE Security Announcement: kernel (SuSE-SA:2003:021)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 2003-03-25


1. Topic

System log access and file access/overwrite via HTTP/CGI


2. Description

CGI applications allowing file and directory creation and overwrites,
and access to the system log has incorrect access permissions in a
number of Axis products.

In affected products a user with the lowest access privileges may
access the system log, and overwrite and create arbitrary files in the
local file system.

3. Affected products

System log access:

2400: 2.00 and above 
2401: 2.00 and above 

File creation and overwrite:

2130: 2.32
2400: 2.00 and above 
2401: 2.00 and above 
2420: 2.30 and above


4. Interim workaround

Access privileges to the affected CGIs can be corrected by modifying
the HTTP server configuration file (located in /etc/httpd/conf/boa.conf)
in the following way.

System log access:
2400: add lines - AuthPath /usr/html/support/ axadmin
                  AuthPath /support/ axadmin
2401: add lines - AuthPath /usr/html/support axadmin
                  AuthPath /support/ axadmin
                   
File creation and overwrite:
2420: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
2400: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
2401: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
2130: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin

We recommend that these changes are made on devices placed in publicly
accessible networks. 

The problems will be corrected in the next firmware release.


5. Vulnerability reporting

Information on this vulnerability was originally sent by Martin
Eiszner to securityat_private, which at the time did not exist, and
anne.rhenmanat_private, our Director of Investor Relations.

To limit the amount of misdirected support questions, etc., Axis has
decided to remove e-mail based support. This includes mailboxes for
vulnerability reports. Instead reports as this one should be delivered
via Axis' web based support system, available at
http://www.axis.com/techsup/index.htm .

Information on this was regrettably missing from the Axis website,
the contact information will be corrected.

Next message: Daniel Ahlberg: "GLSA: stunnel (200303-24)"
Previous message: Roman Drahtmueller: "SuSE Security Announcement: kernel (SuSE-SA:2003:021)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 11:22:06 PST