BID:25837

Axis Communications 2100 Network Camera Multiple Input Validation Vulnerabilities

Info

Axis Communications 2100 Network Camera Multiple Input Validation Vulnerabilities

Bugtraq ID:	25837
Class:	Input Validation Error
CVE:	CVE-2007-5213 CVE-2007-5212
Remote:	Yes
Local:	No
Published:	Sep 27 2007 12:00AM
Updated:	Jul 06 2016 02:17PM
Credit:	ProCheckUp is credited with the discovery of these vulnerabilities.
Vulnerable:	Axis Communications 2100 Network Camera 2.43

Not Vulnerable:

Discussion

Axis Communications 2100 Network Camera Multiple Input Validation Vulnerabilities

Axis Communications 2100 Network Camera is prone to multiple input-validation vulnerabilities, including a cross-site scripting issue, multiple HTML-injection issues, and a cross-site request-forgery issue, because the application fails to properly sanitize user-supplied input.

Exploiting these issues could allow an attacker to execute arbitrary script code in the context of the webserver process, control how the site is rendered to the user, compromise the application, obtain sensitive information, and access or modify data.

These issues affect 2100 Network Cameras with firmware version 2.43; other firmware versions and models may also be affected.

Exploit / POC

Axis Communications 2100 Network Camera Multiple Input Validation Vulnerabilities

To exploit the cross-site scripting and cross-site request-forgery issues, attackers must entice an unsuspecting victim into following a malicious URI. Attackers can exploit the HTML-injection issues via a browser.

Solution / Fix

Axis Communications 2100 Network Camera Multiple Input Validation Vulnerabilities

Solution:
The vendor has released updates. Please see the references for more information.

References

Axis Communications 2100 Network Camera Multiple Input Validation Vulnerabilities

References:

Improving Security for Axis Products (Axis Communications)
Network Camera and Video Servers (Axis Communications)
Owning Big Brother: Multiple vulnerabilities on Axis 2100 IP cameras (ProCheckUp)
XSS Vulnerabilities and Security Releases for the AXIS 2100/2120 (Axis Communications)
Owning Big Brother: How to Crack into Axis IP cameras (ProCheckUp)