Date: Mon, 7 Feb 2000 14:01:40 +0100
From: "Vitek, Ian" <ian.vitek@INFOSEC.SE.>
To: [email protected]Subject: Infosec.20000207.axis700.a
Infosec Security Vulnerability Report
No: Infosec.20000207.axis700.a
Vulnerability Summary
Problem: Bypassing authentication on Axis 700 Network Scanner;
By modifying an URL, outsiders can access
administrator URLs without entering username
and password.
Threat: Unauthorized access.
Platform: Axis 700 Network Scanner Server
(Software Version 1.12)
Solution: Non? Se below.
Vulnerability Description
User pages are located under http://server/user/.
The URL to the configuration page is:
http://server/admin/this_axis700/this_axis700.shtml
This page is password protected. The actual configuration takes place on the
pages linked from this page. By changing the URL to:
http://server/user/../admin/this_axis700/this_axis700.shtml
gives an outsider access to the configuration page without entering username and
password. The server seems to check access permissions before URL conversion.
The server also decodes %1u to %2e (not a vulnerability).
Solution
<<Quote_from_Axis_Support
Hi,,
You will find the latest version on http://www.axis.se/techsup
Best Regards
XXXXXX XXXXXXX
Quote_from_Axis_Support
Nothing says that version 1.14 will fix this vulnerability.
Other information
Infosec recommends everyone to try to access their authorized pages with URLs
as:
http://server/NonPrivPage/../PrivPage/
Infosec thanks weld at l0pht for the inspiration
(http://www.l0pht.com/advisories/showcode.txt)
//Ian Vitek
[email protected]
-------------------------------
Infosec is a Swedish based tigerteam that have worked with computer-related
security since 1982 and done penetration tests and technical revisions since
1996. Infosec is now searching for co-workers. Call Blume on +46-8-6621070 for
more information.
