[13742] in bugtraq
Infosec.20000207.axis700.a
daemon@ATHENA.MIT.EDU (Vitek, Ian)
Mon Feb  7 19:13:42 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id:  <4125687E.004790B1.00@mailgw.backupcentralen.se>
Date:         Mon, 7 Feb 2000 14:01:40 +0100
Reply-To: ian.vitek@INFOSEC.SE
From: "Vitek, Ian" <ian.vitek@INFOSEC.SE>
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Infosec Security Vulnerability Report
No: Infosec.20000207.axis700.a
=====================================
Vulnerability Summary
---------------------
Problem: Bypassing authentication on Axis 700 Network Scanner;
               By modifying an URL, outsiders can access
               administrator URLs without entering username
               and password.
Threat: Unauthorized access.
Platform: Axis 700 Network Scanner Server
               (Software Version 1.12)
Solution: Non? Se below.
Vulnerability Description
-------------------------
User pages are located under http://server/user/.
The URL to the configuration page is:
http://server/admin/this_axis700/this_axis700.shtml
This page is password protected. The actual configuration takes place on the
pages linked from this page. By changing the URL to:
http://server/user/../admin/this_axis700/this_axis700.shtml
gives an outsider access to the configuration page without entering username and
password. The server seems to check access permissions before URL conversion.
The server also decodes %1u to %2e (not a vulnerability).
Solution
--------
<<Quote_from_Axis_Support
Hi,,
You will find the latest version on http://www.axis.se/techsup
Best Regards
XXXXXX XXXXXXX
Quote_from_Axis_Support
Nothing says that version 1.14 will fix this vulnerability.
Other information
-----------------
Infosec recommends everyone to try to access their authorized pages with URLs
as:
http://server/NonPrivPage/../PrivPage/
Infosec thanks weld at l0pht for the inspiration
(http://www.l0pht.com/advisories/showcode.txt)
//Ian Vitek
ian.vitek@infosec.se
-------------------------------
Infosec is a Swedish based tigerteam that have worked with computer-related
security since 1982 and done penetration tests and technical revisions since
1996. Infosec is now searching for co-workers. Call Blume on +46-8-6621070 for
more information.