TUCoPS :: Web :: Servers :: a6095.htm

Axis Video and Camera Servers system log & file access/overwrite via HTTP/CGI
26th Mar 2003 [SBWID-6095]
COMMAND

	Axis Video and Camera Servers system  log  &  file  access/overwrite
	via HTTP/CGI

SYSTEMS AFFECTED

	Affected products
	
	System log access:
	
	 2400: 2.00 and above 
	 2401: 2.00 and above 
	
	File creation and overwrite:
	
	 2130: 2.32
	 2400: 2.00 and above 
	 2401: 2.00 and above 
	 2420: 2.30 and above

PROBLEM

	In Axis Product Security  [product-security@axis.com]  advisory,  thanks
	to Martin Eiszner findings :
	
	 Description
	 ===========
	
	CGI applications allowing file and directory  creation  and  overwrites,
	and access to the system log  has  incorrect  access  permissions  in  a
	number of Axis products.
	
	In affected products a  user  with  the  lowest  access  privileges  may
	access the system log, and overwrite and create arbitrary files  in  the
	local file system.

SOLUTION

	 Workaround:
	 ===========
	
	Access privileges to the affected CGIs can  be  corrected  by  modifying
	the     HTTP     server     configuration     file      (located      in
	/etc/httpd/conf/boa.conf) in the following way.
	
	System log access:
	
	2400: add lines - AuthPath /usr/html/support/ axadmin
	                  AuthPath /support/ axadmin
	2401: add lines - AuthPath /usr/html/support axadmin
	                  AuthPath /support/ axadmin
	                   
	File creation and overwrite:
	
	2420: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
	2400: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
	2401: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
	2130: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
	
	We recommend that these changes are made on devices placed  in  publicly
	accessible networks.
	
	The problems will be corrected in the next firmware release.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH