COMMAND

	Axis Video and Camera Servers system  log  &  file  access/overwrite
	via HTTP/CGI

SYSTEMS AFFECTED

	Affected products
	
	System log access:
	
	 2400: 2.00 and above 
	 2401: 2.00 and above 
	
	File creation and overwrite:
	
	 2130: 2.32
	 2400: 2.00 and above 
	 2401: 2.00 and above 
	 2420: 2.30 and above

PROBLEM

	In Axis Product Security  [product-security@axis.com]  advisory,  thanks
	to Martin Eiszner findings :
	
	 Description
	 ===========
	
	CGI applications allowing file and directory  creation  and  overwrites,
	and access to the system log  has  incorrect  access  permissions  in  a
	number of Axis products.
	
	In affected products a  user  with  the  lowest  access  privileges  may
	access the system log, and overwrite and create arbitrary files  in  the
	local file system.

SOLUTION

	 Workaround:
	 ===========
	
	Access privileges to the affected CGIs can  be  corrected  by  modifying
	the     HTTP     server     configuration     file      (located      in
	/etc/httpd/conf/boa.conf) in the following way.
	
	System log access:
	
	2400: add lines - AuthPath /usr/html/support/ axadmin
	                  AuthPath /support/ axadmin
	2401: add lines - AuthPath /usr/html/support axadmin
	                  AuthPath /support/ axadmin
	                   
	File creation and overwrite:
	
	2420: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
	2400: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
	2401: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
	2130: change 2 lines referring to /axis-cgi/buffer/ from axview to axadmin
	
	We recommend that these changes are made on devices placed  in  publicly
	accessible networks.
	
	The problems will be corrected in the next firmware release.