lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030325143035.GB19578@axis.com>
Date: Tue, 25 Mar 2003 15:30:35 +0100
From: Axis Product Security <product-security@...s.com>
To: bugtraq@...urityfocus.com
Subject: Axis Video and Camera Servers - System log access and file access/overwrite via HTTP/CGI


Date: 2003-03-25


1. Topic

System log access and file access/overwrite via HTTP/CGI


2. Description

CGI applications allowing file and directory creation and overwrites,
and access to the system log has incorrect access permissions in a
number of Axis products.

In affected products a user with the lowest access privileges may
access the system log, and overwrite and create arbitrary files in the
local file system.

3. Affected products

System log access:

2400: 2.00 and above 
2401: 2.00 and above 

File creation and overwrite:

2130: 2.32
2400: 2.00 and above 
2401: 2.00 and above 
2420: 2.30 and above


4. Interim workaround

Access privileges to the affected CGIs can be corrected by modifying
the HTTP server configuration file (located in /etc/httpd/conf/boa.conf)
in the following way.

System log access:
2400: add lines - AuthPath /usr/html/support/ axadmin
                  AuthPath /support/ axadmin
2401: add lines - AuthPath /usr/html/support axadmin
                  AuthPath /support/ axadmin
                   
File creation and overwrite:
2420: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
2400: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
2401: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
2130: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin

We recommend that these changes are made on devices placed in publicly
accessible networks. 

The problems will be corrected in the next firmware release.


5. Vulnerability reporting

Information on this vulnerability was originally sent by Martin
Eiszner to security@...s.com, which at the time did not exist, and
anne.rhenman@...s.com, our Director of Investor Relations.

To limit the amount of misdirected support questions, etc., Axis has
decided to remove e-mail based support. This includes mailboxes for
vulnerability reports. Instead reports as this one should be delivered
via Axis' web based support system, available at
http://www.axis.com/techsup/index.htm .

Information on this was regrettably missing from the Axis website,
the contact information will be corrected.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ