[Tfug] ?? RE: XSS vulnerability in Canon webcam I discovered
Casey Townsend
CTownse1 at ci.tucson.az.us
Wed Dec 17 08:29:23 MST 2003
I ran a nessus security scan against our recently purchased Canon VB-C10R Network Camera (remote controlled web-cam). It revealed the information listed below, which includes a Cross Site Scripting vulnerability in the embedded web sever. I have verified that this affects Opera 6 & 7, Mozilla Firebird 0.6.1, Netscape 4.x, 6 & 7, and Mozilla 1.6b, but it does not effect my IE6sp1+, including NeoPlanet and Avant.
I have contacted Canon several times about this but I don't think they are too concerned (and I don't have the experience to determine if this is a significant problem or not, or if other web-cams are also vulnerable). Canon did not acknowledged any of my emails or even the fax their customer support person asked me to send until finally I was able to speak with a supervisor the next week who said they had received an email and that it was going to being sent to their NY HQ, which would then send it to their engineers in Japan. He didn't think I would hear anything for at least a couple of weeks, if ever. I initially called them on Nov. 28th.
I would appreciate your thoughts on this issue.
<snip>
...The Flash ROM Firmware for the camera was upgraded to the latest - ver. 1.0 Rev. 21 prior to the scan. The camera's s/n is 2510320297. Of these issues, item three is of the most concern to me. Perhaps an upgrade to boa 0.94.13 <http://www.boa.org/> may solve this problem? (I have not taken the time yet to further research this.)
Please let me know the status of this issue and your time line for resolution.
1) Service: http (80/tcp)
Severity: Low - The following directories were discovered:
/sample
The following directories require authentication:
/admin, /cgi-bin, /java, /support
2) Service: http (80/tcp)
Severity: Low
The remote web server type is :
Boa/0.92o
This web server was fingerprinted as Boa/0.92o
which is consistent with the displayed banner
Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.
3) The remote web server seems to be vulnerable to the Cross Site Scripting vulnerability (XSS). The vulnerability is caused by the result returned to the user when a non-existing file is requested (e.g. the result contains the JavaScript provided in the request).
The vulnerability would allow an attacker to make the server present the user with the attacker's JavaScript/HTML code.
Since the content is presented by the server, the user will give it the trust level of the server (for example, the trust level of banks, shopping centers, etc. would usually be high).
Sample url : http://198.182.65.150:80/<SCRIPT>alert('Vulnerable')</SCRIPT>.jsp
***[ This translates to http://198.182.65.150/%3CSCRIPT%3Ealert('Vulnerable')%3C/SCRIPT%3E.jsp and is verified as lauching the alert dialog ]***
Risk factor : Medium
Solutions:
. Allaire/Macromedia Jrun:
- http://www.macromedia.com/software/jrun/download/update/
- http://www.securiteam.com/windowsntfocus/Allaire_fixes_Cross-Site_Scripting_security_vulnerability.html
. Microsoft IIS:
- http://www.securiteam.com/windowsntfocus/IIS_Cross-Site_scripting_vulnerability__Patch_available_.html
. Apache:
- http://httpd.apache.org/info/css-security/
. ColdFusion:
- http://www.macromedia.com/v1/handlers/index.cfm?ID=23047
. General:
- http://www.securiteam.com/exploits/Security_concerns_when_developing_a_dynamically_generated_web_site.html
- http://www.cert.org/advisories/CA-2000-02.html
BID : 5305, 7353, 7344, 8037
</snip>
Casey Townsend
System Administrator
Department of Transportation
City of Tucson
pager: 520-516-8235
voice: 520-791-3115 x 430
More information about the tfug
mailing list