[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Vulnerabilities in Samsung SyncThru Web Service
- To: <submissions@xxxxxxxxxxxxxxxxxxxxxxx>, <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Vulnerabilities in Samsung SyncThru Web Service
- From: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
- Date: Mon, 22 Dec 2014 23:52:51 +0200
Hello list!
There are Information Leakage and Insufficient Authorization vulnerabilities
in SyncThru Web Service. This is web application for Samsung printers,
particularly I found it with Samsung ML-1865W and other printers. Earlier I
informed Samsung about it.
-------------------------
Affected products:
-------------------------
Vulnerable are SyncThru Web Service, Network Firmware 6.01 and previous
versions (there are 7 different firmware in Samsung ML-1865W, as stated at
Firmware Version page).
----------
Details:
----------
Information Leakage (WASC-13):
http://site
http://site:631
There is access without authorization to information about all settings of
the printer (read only).
Insufficient Authorization (WASC-02):
In section Print Information it's possible to print test documents without
authorization. Thus without login and password it's possible to waste paper
and cartridge of the printer.
Also I found other Samsung printers (with earlier version of firmware),
where function Direct Print was accessible without authorization. Which
allows to print arbitrary documents.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/7513/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/