| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <900ea070910140057y2561b77bm3975ada8b90f58b8@mail.gmail.com> Date: Wed, 14 Oct 2009 09:57:04 +0200 From: Andrea Fabrizi <andrea.fabrizi@...il.com> To: vulnwatch@...nwatch.org, full-disclosure@...ts.grok.org.uk Subject: Everfocus EDSR remote authentication bypass ************************************************************** Product: Everfocus EDSR series Version affected: 1.4 and older Website: http://www.everfocus.com/ Discovered By: Andrea Fabrizi Email: andrea.fabrizi@...il.com Web: http://www.andreafabrizi.it Vuln: remote DVR applet authentication bypass ************************************************************** The EDSR firmware don't handle correctly users authentication and sessions. This exploit let you to connect to every remote DVR (without username and password) and see the live cams :) Exploit: http://www.andreafabrizi.it/files/EverFocus_Edsr_Exploit.tar.gz I discovered this vulnerability one year ago and i have informed the vendor, but apparently there is no solution at this time. -- Andrea Fabrizi http://www.andreafabrizi.it _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists