发布时间 :2003-12-31 00:00:00
修订时间 :2008-09-05 16:36:48

[原文]AXIS 2400 Video Server 2.00 through 2.33 allows remote attackers to obtain sensitive information via an HTTP request to /support/messages, which displays the server's /var/log/messages file.

[CNNVD]Axis Communications HTTP Server Messages信息泄露漏洞(CNNVD-200312-262)

        AXIS 2400 Video Server 2.00至2.33版本存在漏洞。远程攻击者借助到/support/messages的HTTP请求获取敏感信息,该漏洞显示服务器的/var/log/messages文件。

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/h:axis:2401_video_server:2.32Axis Communications AXIS 2401 Video Server 2.32
cpe:/h:axis:2400_video_server:2.20Axis Communications AXIS 2400 Video Server 2.20
cpe:/h:axis:2400_video_server:2.33Axis Communications AXIS 2400 Video Server 2.33
cpe:/h:axis:2400_video_server:2.32Axis Communications AXIS 2400 Video Server 2.32
cpe:/h:axis:2401_video_server:2.20Axis Communications AXIS 2401 Video Server 2.20
cpe:/h:axis:2400_video_server:2.0Axis Communications AXIS 2400 Video Server 2.0
cpe:/h:axis:2400_video_server:2.31Axis Communications AXIS 2400 Video Server 2.31
cpe:/h:axis:2401_video_server:2.31Axis Communications AXIS 2401 Video Server 2.31
cpe:/h:axis:2401_video_server:2.33Axis Communications AXIS 2401 Video Server 2.33

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  XF  axis-messages-unauth-access(11440)
(UNKNOWN)  BID  6980
(UNKNOWN)  BUGTRAQ  20030325 Axis Video and Camera Servers - System log access and file access/overwrite via HTTP/CGI
(UNKNOWN)  BUGTRAQ  20030228 axis2400 webcams

- 漏洞信息

Axis Communications HTTP Server Messages信息泄露漏洞
中危 配置错误
2003-12-31 00:00:00 2003-12-31 00:00:00
        AXIS 2400 Video Server 2.00至2.33版本存在漏洞。远程攻击者借助到/support/messages的HTTP请求获取敏感信息,该漏洞显示服务器的/var/log/messages文件。

- 公告与补丁

        Additionally, the vendor has stated that this vulnerability will be fixed in the next release of firmware for the affected devices.

- 漏洞信息 (22296)

Axis Communications HTTP Server 2.x Messages Information Disclosure Vulnerability (EDBID:22296)
multiple remote
2003-02-28 Verified
0 Martin Eiszner
N/A [点击下载]

It has been reported that the Axis Video Server does not properly secure sensitive information. Because of this, an attacker may be able to gather details about server operation and traffic that could lead to further attacks. 		

- 漏洞信息

Axis 2400 Network Camera Webserver Message Log Disclosure
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality
Exploit Public

- 漏洞描述

Axis Network Camera contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when getting the /support/messages on the target webserver, which will disclose the '/var/log/messages' system logfile which can contains sensitive information resulting in a loss of confidentiality.

- 时间线

2003-02-28 Unknow
2003-02-28 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Add the two following lines in '/etc/httpd/conf/boa.conf' : AuthPath /usr/html/support/ axadmin AuthPath /support/ axadmin

- 相关参考

- 漏洞作者