Home page logo
/

bugtraq logo Bugtraq mailing list archives

Axis Video and Camera Servers - System log access and file access/overwrite via HTTP/CGI
From: Axis Product Security <product-security () axis com>
Date: Tue, 25 Mar 2003 15:30:35 +0100

Date: 2003-03-25


1. Topic

System log access and file access/overwrite via HTTP/CGI


2. Description

CGI applications allowing file and directory creation and overwrites,
and access to the system log has incorrect access permissions in a
number of Axis products.

In affected products a user with the lowest access privileges may
access the system log, and overwrite and create arbitrary files in the
local file system.

3. Affected products

System log access:

2400: 2.00 and above 
2401: 2.00 and above 

File creation and overwrite:

2130: 2.32
2400: 2.00 and above 
2401: 2.00 and above 
2420: 2.30 and above


4. Interim workaround

Access privileges to the affected CGIs can be corrected by modifying
the HTTP server configuration file (located in /etc/httpd/conf/boa.conf)
in the following way.

System log access:
2400: add lines - AuthPath /usr/html/support/ axadmin
                  AuthPath /support/ axadmin
2401: add lines - AuthPath /usr/html/support axadmin
                  AuthPath /support/ axadmin
                   
File creation and overwrite:
2420: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
2400: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
2401: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
2130: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin

We recommend that these changes are made on devices placed in publicly
accessible networks. 

The problems will be corrected in the next firmware release.


5. Vulnerability reporting

Information on this vulnerability was originally sent by Martin
Eiszner to security () axis com, which at the time did not exist, and
anne.rhenman () axis com, our Director of Investor Relations.

To limit the amount of misdirected support questions, etc., Axis has
decided to remove e-mail based support. This includes mailboxes for
vulnerability reports. Instead reports as this one should be delivered
via Axis' web based support system, available at
http://www.axis.com/techsup/index.htm .

Information on this was regrettably missing from the Axis website,
the contact information will be corrected.


  By Date           By Thread  

Current thread:
  • Axis Video and Camera Servers - System log access and file access/overwrite via HTTP/CGI Axis Product Security (Mar 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]