Owning Big Brother: How to Crack into Axis IP cameras

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Owning Big Brother: How to Crack into Axis IP cameras
From: research@xxxxxxxxxxxxxx
Date: 28 Sep 2007 11:21:53 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

The research is made of two components: a purple paper and a video. The 
research doesn't just cover boring PoCs, but actual Hollywood-style exploits 
:-) . Yes, this includes the classic attack in which the legitimate video 
stream gets replaced by another stream that keeps looping forever!

In the paper we only cover new vulnerabilities affecting older _and_ the latest 
firmware. The most eye-catching ones are perhaps the following issues affecting 
the latest version of the firmware (2.43): 

  System-wide Cross-site Request Forgeries (CSRF) ? any admin action can be 
forged by design!
  Non-persistent Cross-site Scripting (XSS) on 404 error pages
  Persistent cross-site Scripting (XSS) on the network settings page
  Persistent cross-site Scripting (XSS) on the video viewing page
  Persistent cross-site Scripting (XSS) on the logs viewing facility

For more info please see: http://www.procheckup.com/Vulnerability_2007.php

Prev by Date: Re: [waraxe-2007-SA#053] - Critical Sql Injection in NukeSentinel 2.5.11
Next by Date: feedreader3 has XSS vulnerability
Previous by thread: [ MDKSA-2007:190 ] - Updated kdebase packages fix KDM vulnerability
Next by thread: feedreader3 has XSS vulnerability
Index(es):
- Date
- Thread