Axis 700 Authentication Bypass Vulnerability

The Axis 700 Network Scan Server includes a small webserver for administration and monitoring purposes. There is password protection available for the administrator pages, but this can be easily bypassed. The Axis 700 checks the requested URL for permissions before final URL conversion, so using a URL like target/nonrestricted/../restricted/ will let anyone into a restricted directory. Also, character substitution will accomplish the same thing, ie replacing any character in the URL with it's %-escaped equivalent.


Privacy Statement
Copyright 2010, SecurityFocus