|
 |
|
Axis Webcams Three Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA8217
|
|
|
Release Date:
|
2003-03-05
|
|
Last Update:
|
2003-03-26
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Manipulation of data
Exposure of system information
Exposure of sensitive information
DoS
|
|
Where:
|
From local network
|
|
Solution Status:
|
Unpatched
|
|
| OS: | Axis Network Camera
Axis Network Video Server
|
|
|
|
This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released! |
|
|
Description:
Three vulnerabilities have been confirmed in Axis Webcams version 2100 and 2400. The vulnerabilities have all been identified in the embedded Video Server (version 2.33 and prior).
The first vulnerability is caused by an access control error. Any person can request the file "http://[server]/support/messages", which returns "/var/log/messages" and may disclose sensitive information.
The other two vulnerabilities are both caused by an input validation error in "command.cgi". A malicious person can exploit these to create arbitrary files or overwrite system files causing a DoS (Denial of Service).
Confirmed vulnerable versions:
Log access:
2400: 2.00 and above
2401: 2.00 and above
Overwriting files:
2130: 2.32
2400: 2.00 and above
2401: 2.00 and above
2420: 2.30 and above
Solution:
It is possible to implement a workaround by changing /etc/httpd/conf/boa.conf
Log access:
Add the two following lines:
AuthPath /usr/html/support/ axadmin
AuthPath /support/ axadmin
Overwriting files:
Change the lines referring to /axis-cgi/buffer/ from axview to axadmin
Provided and/or discovered by:
Martin Eiszner
Original Advisory:
26/03-2003 Axis has published information regarding a workaround by changing the configuration
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
5 Related Secunia Security Advisories
|
|
|
1. AXIS 207W Network Camera Multiple Vulnerabilities
|
|
2. Axis Products DNS Implementation Denial of Service Vulnerability
|
|
3. Axis Network Camera / Video Server Command Injection and Directory Traversal
|
|
4. Axis Network Camera HTTP Authentication Bypass Vulnerability
|
|
5. Axis cameras and video servers buffer overflow
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
