Axis Video and Camera Servers - System log access and file access/overwrite via HTTP/CGI

From: Axis Product Security (product-security@axis.com)
Date: 03/25/03

  • Next message: Auriemma Luigi: "Emule 0.27b remote crash" 
    Date: Tue, 25 Mar 2003 15:30:35 +0100
From: Axis Product Security <product-security@axis.com>
To: bugtraq@securityfocus.com

    Date: 2003-03-25

    1. Topic

    System log access and file access/overwrite via HTTP/CGI

    2. Description

    CGI applications allowing file and directory creation and overwrites,
    and access to the system log has incorrect access permissions in a
    number of Axis products.

    In affected products a user with the lowest access privileges may
    access the system log, and overwrite and create arbitrary files in the
    local file system.

    3. Affected products

    System log access:

    2400: 2.00 and above
    2401: 2.00 and above

    File creation and overwrite:

    2130: 2.32
    2400: 2.00 and above
    2401: 2.00 and above
    2420: 2.30 and above

    4. Interim workaround

    Access privileges to the affected CGIs can be corrected by modifying
    the HTTP server configuration file (located in /etc/httpd/conf/boa.conf)
    in the following way.

    System log access:
    2400: add lines - AuthPath /usr/html/support/ axadmin
                      AuthPath /support/ axadmin
    2401: add lines - AuthPath /usr/html/support axadmin
                      AuthPath /support/ axadmin
                       
    File creation and overwrite:
    2420: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
    2400: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
    2401: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
    2130: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin

    We recommend that these changes are made on devices placed in publicly
    accessible networks.

    The problems will be corrected in the next firmware release.

    5. Vulnerability reporting

    Information on this vulnerability was originally sent by Martin
    Eiszner to security@axis.com, which at the time did not exist, and
    anne.rhenman@axis.com, our Director of Investor Relations.

    To limit the amount of misdirected support questions, etc., Axis has
    decided to remove e-mail based support. This includes mailboxes for
    vulnerability reports. Instead reports as this one should be delivered
    via Axis' web based support system, available at
    http://www.axis.com/techsup/index.htm .

    Information on this was regrettably missing from the Axis website,
    the contact information will be corrected.

  • Next message: Auriemma Luigi: "Emule 0.27b remote crash"