Infosec Security Vulnerability Report No: Infosec.20000207.axis700.a ===================================== Vulnerability Summary --------------------- Problem: Bypassing authentication on Axis 700 Network Scanner; By modifying an URL, outsiders can access administrator URLs without entering username and password. Threat: Unauthorized access. Platform: Axis 700 Network Scanner Server (Software Version 1.12) Solution: Non? Se below. Vulnerability Description ------------------------- User pages are located under http://server/user/. The URL to the configuration page is: http://server/admin/this_axis700/this_axis700.shtml This page is password protected. The actual configuration takes place on the pages linked from this page. By changing the URL to: http://server/user/../admin/this_axis700/this_axis700.shtml gives an outsider access to the configuration page without entering username and password. The server seems to check access permissions before URL conversion. The server also decodes %1u to %2e (not a vulnerability). Solution -------- <<Quote_from_Axis_Support Hi,, You will find the latest version on http://www.axis.se/techsup Best Regards XXXXXX XXXXXXX Quote_from_Axis_Support Nothing says that version 1.14 will fix this vulnerability. Other information ----------------- Infosec recommends everyone to try to access their authorized pages with URLs as: http://server/NonPrivPage/../PrivPage/ Infosec thanks weld at l0pht for the inspiration (http://www.l0pht.com/advisories/showcode.txt) //Ian Vitek [EMAIL PROTECTED] ------------------------------- Infosec is a Swedish based tigerteam that have worked with computer-related security since 1982 and done penetration tests and technical revisions since 1996. Infosec is now searching for co-workers. Call Blume on +46-8-6621070 for more information.