lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <3FF29699.29049.50C57D61@localhost>
From: townsend at northlink.com (townsend@...thlink.com)
Subject: XSS vulnerability in Canon webcam

I ran a nessus security scan against our recently purchased Canon VB-C10R Network 
Camera (remote controlled web-cam). It revealed the information listed below, which 
includes a Cross Site Scripting vulnerability in the embedded web sever.  I have 
verified that this affects Opera 6 & 7, Mozilla Firebird 0.6.1, Netscape 4.x, 6 & 7, and 
Mozilla 1.6b, but it does not effect my IE6sp1+, including NeoPlanet and Avant.

I have contacted Canon several times about this but I don't think they are too 
concerned (and I don't have the experience to determine if this is a significant problem 
or not; or if other web-cams are also vulnerable). Canon did not acknowledged any of 
my emails or even the fax their customer support person asked me to send until finally 
I was able to speak with a supervisor the next week who said they had received an 
email and that it was going to being sent to their NY HQ, which would then send it to 
their engineers in Japan. He didn't think I would hear anything for at least a couple of 
weeks, if ever. I initially called them on Nov. 28th.

I would appreciate any comments on this issue.


<snip from Email to Canon>

...The Flash ROM Firmware for the camera was upgraded to the latest - ver. 1.0 Rev. 
21 prior to the scan. The camera's s/n is 2510320297.  Of these issues, item three is 
of the most concern to me. Perhaps an upgrade to boa 0.94.13 <http://www.boa.org/> 
may solve this problem? (I have not taken the time yet to further research this.)

Please let me know the status of this issue and your time line for resolution.


1)  Service: http (80/tcp)
Severity: Low - The following directories were discovered:

/sample

The following directories require authentication:
/admin, /cgi-bin, /java, /support

2)  Service: http (80/tcp)
Severity: Low
The remote web server type is :

Boa/0.92o

This web server was fingerprinted as Boa/0.92o
which is consistent with the displayed banner

Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.


3)   The remote web server seems to be vulnerable to the Cross Site Scripting 
vulnerability (XSS). The vulnerability is caused by the result returned to the user when 
a non-existing file is requested (e.g. the result contains the JavaScript provided in the 
request).
The vulnerability would allow an attacker to make the server present the user with the 
attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust level of the 
server (for example, the trust level of banks, shopping centers, etc. would usually be 
high).

Sample url : http://198.182.xxx.xxx:80/<SCRIPT>alert('Vulnerable')</SCRIPT>.jsp

Risk factor : Medium

</snip>


Casey Townsend
System Administrator
Department of Transportation
City of Tucson
520-791-5100

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ