Bugtraq mailing list archives
Re: axis2400 webcams
From: Sergio Gelato <Sergio.Gelato () astro su se>
Date: Sun, 2 Mar 2003 01:01:04 +0100
* Barry Zubel [2003-02-28 17:19:04 -0000]:
Tested the viewing of http://server/log/messages on Axis 2100 model, and it is vulnerable.
Sorry, can't reproduce it on a 2100 with firmware 2.33.1. It prompts me for authentication, and *only* the root username/password pair grant me access to /support/messages (not /log/messages as you wrote). Other less privileged username/password pairs (yes, I've enabled those) return a "password is incorrect" error. If you don't password-protect the root account you get of course what you deserve. And if you claim a product is vulnerable without specifying which software (here firmware) revision(s) you've tested, you don't sound terribly convincing. [Side note: For some strange reason the 2.33.1 "service release" of the firmware is not advertised on the www.axis.com firmware download pages; you may however find it by anonymous ftp in the sr/ subdirectory. See the message from product-security () axis com to BugTraq on 2002-12-20.]
Current thread:
- Re: axis2400 webcams Sergio Gelato (Mar 02)
- <Possible follow-ups>
- Re: axis2400 webcams jean-philippe Gaulier (Mar 04)