[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] XSS vulnerability in Canon webcam

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] XSS vulnerability in Canon webcam
From: townsend@northlink.com
Date: Wed, 31 Dec 2003 09:27:53 -0700

I ran a nessus security scan against our recently purchased Canon VB-C10R 
Network 
Camera (remote controlled web-cam). It revealed the information listed below, 
which 
includes a Cross Site Scripting vulnerability in the embedded web sever.  I 
have 
verified that this affects Opera 6 & 7, Mozilla Firebird 0.6.1, Netscape 4.x, 6 
& 7, and 
Mozilla 1.6b, but it does not effect my IE6sp1+, including NeoPlanet and Avant.

I have contacted Canon several times about this but I don't think they are too 
concerned (and I don't have the experience to determine if this is a 
significant problem 
or not; or if other web-cams are also vulnerable). Canon did not acknowledged 
any of 
my emails or even the fax their customer support person asked me to send until 
finally 
I was able to speak with a supervisor the next week who said they had received 
an 
email and that it was going to being sent to their NY HQ, which would then send 
it to 
their engineers in Japan. He didn't think I would hear anything for at least a 
couple of 
weeks, if ever. I initially called them on Nov. 28th.

I would appreciate any comments on this issue.


<snip from Email to Canon>

...The Flash ROM Firmware for the camera was upgraded to the latest - ver. 1.0 
Rev. 
21 prior to the scan. The camera's s/n is 2510320297.  Of these issues, item 
three is 
of the most concern to me. Perhaps an upgrade to boa 0.94.13 
<http://www.boa.org/> 
may solve this problem? (I have not taken the time yet to further research 
this.)

Please let me know the status of this issue and your time line for resolution.


1)  Service: http (80/tcp)
Severity: Low - The following directories were discovered:

/sample

The following directories require authentication:
/admin, /cgi-bin, /java, /support

2)  Service: http (80/tcp)
Severity: Low
The remote web server type is :

Boa/0.92o

This web server was fingerprinted as Boa/0.92o
which is consistent with the displayed banner

Solution : We recommend that you configure (if possible) your web server to 
return
a bogus Server header in order to not leak information.


3)   The remote web server seems to be vulnerable to the Cross Site Scripting 
vulnerability (XSS). The vulnerability is caused by the result returned to the 
user when 
a non-existing file is requested (e.g. the result contains the JavaScript 
provided in the 
request).
The vulnerability would allow an attacker to make the server present the user 
with the 
attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust 
level of the 
server (for example, the trust level of banks, shopping centers, etc. would 
usually be 
high).

Sample url : http://198.182.xxx.xxx:80/<SCRIPT>alert('Vulnerable')</SCRIPT>.jsp

Risk factor : Medium

</snip>


Casey Townsend
System Administrator
Department of Transportation
City of Tucson
520-791-5100

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: [Full-Disclosure] RE: Winnie The Pooh Hacking Squadron Presents: 0day 31337 vulnerability in indent 2.2.9
Next by Date: Re: [Full-Disclosure] weird worm ?
Previous by thread: [Full-Disclosure] RE: Winnie The Pooh Hacking Squadron Presents: 0day 31337 vulnerability in indent 2.2.9
Next by thread: [Full-Disclosure] MDKSA-2003:095-1 - Updated proftpd packages fix remote root vulnerability
Index(es):
- Date
- Thread