Infosec.20000207.axis700.a

[ian.vitek () INFOSEC SE (Vitek, Ian)]

Infosec Security Vulnerability Report
No: Infosec.20000207.axis700.a
=====================================

Vulnerability Summary
---------------------

Problem: Bypassing authentication on Axis 700 Network Scanner;
               By modifying an URL, outsiders can access
               administrator URLs without entering username
               and password.

Threat: Unauthorized access.

Platform: Axis 700 Network Scanner Server
               (Software Version 1.12)

Solution: Non? Se below.

Vulnerability Description
-------------------------
User pages are located under http://server/user/.
The URL to the configuration page is:
http://server/admin/this_axis700/this_axis700.shtml
This page is password protected. The actual configuration takes place on the
pages linked from this page. By changing the URL to:
http://server/user/../admin/this_axis700/this_axis700.shtml
gives an outsider access to the configuration page without entering username and
password. The server seems to check access permissions before URL conversion.
The server also decodes %1u to %2e (not a vulnerability).

Solution
--------
<<Quote_from_Axis_Support
Hi,,

You will find the latest version on http://www.axis.se/techsup

Best Regards

XXXXXX XXXXXXX
Quote_from_Axis_Support

Nothing says that version 1.14 will fix this vulnerability.

Other information
-----------------
Infosec recommends everyone to try to access their authorized pages with URLs
as:
http://server/NonPrivPage/../PrivPage/

Infosec thanks weld at l0pht for the inspiration
(http://www.l0pht.com/advisories/showcode.txt)

//Ian Vitek
ian.vitek () infosec se

-------------------------------
Infosec is a Swedish based tigerteam that have worked with computer-related
security since 1982 and done penetration tests and technical revisions since
1996. Infosec is now searching for co-workers. Call Blume on +46-8-6621070 for
more information.