Re: axis2400 webcams
From: Sergio Gelato (Sergio.Gelato@astro.su.se)
Date: 03/02/03
- Previous message: Lorenzo Hernandez Garcia-Hierro: "PHP-Nuke : config.php reveled with php uploaded file.(Affect all uploads implementations in phpnuke).SECURING PHP-NUKE."
- Next in thread: jean-philippe Gaulier: "Re: axis2400 webcams"
- Maybe reply: jean-philippe Gaulier: "Re: axis2400 webcams"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 2 Mar 2003 01:01:04 +0100 From: Sergio Gelato <Sergio.Gelato@astro.su.se> To: bugtraq@securityfocus.com
* Barry Zubel [2003-02-28 17:19:04 -0000]:
> Tested the viewing of http://server/log/messages on Axis 2100 model, and it is
> vulnerable.
Sorry, can't reproduce it on a 2100 with firmware 2.33.1. It prompts me
for authentication, and *only* the root username/password pair grant me
access to /support/messages (not /log/messages as you wrote). Other
less privileged username/password pairs (yes, I've enabled those) return
a "password is incorrect" error.
If you don't password-protect the root account you get of course what
you deserve. And if you claim a product is vulnerable without specifying
which software (here firmware) revision(s) you've tested, you don't
sound terribly convincing.
[Side note:
For some strange reason the 2.33.1 "service release" of the firmware is
not advertised on the www.axis.com firmware download pages; you may
however find it by anonymous ftp in the sr/ subdirectory. See the
message from product-security@axis.com to BugTraq on 2002-12-20.]
- Next message: Daniel Ahlberg: "GLSA: eterm (200303-1)"
- Previous message: Lorenzo Hernandez Garcia-Hierro: "PHP-Nuke : config.php reveled with php uploaded file.(Affect all uploads implementations in phpnuke).SECURING PHP-NUKE."
- Next in thread: jean-philippe Gaulier: "Re: axis2400 webcams"
- Maybe reply: jean-philippe Gaulier: "Re: axis2400 webcams"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
