Axis StorPoint CD and Axis StorPoint CD/T are CD ROM servers (actual hardware units)sold by Axis Communications. Both of these appliances support remote management
via SNMP MIB-II and private enterprise MIB as well as from the web via a system-supplied webserver. In regards to the web based administration, users can completely bypass authentication (username and password) by using a specified URL. The actual login page is located at:
However, by using:
A user side steps the login page and gains administrative access to the appliance.
Axis StorPoint contains a flaw that may allow a malicious user to bypass authorization for the administration interface. The issue is triggered when accessing a URL using directory traversal techniques. It is possible that the flaw may allow unauthorized users to reconfigure the device, resulting in a loss of integrity or availability.
Upgrade to version 4.28 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.