XSS, CSRF - You don't even have to be that fancy, at least on the 2130 we're
running. Maybe it's simply that Earth Cam got a hold of it and added their own
interface on top of the default Axis one... But they were nice enough to give
us a webpage where we can edit any file on the camera and submit back your
changes:
http://ip.of.webcam/admin-bin/editcgi.cgi
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Adrian P.
Sent: Thursday, September 27, 2007 4:23 PM
To: webappsec@securityfocus.com
Subject: Owning Big Brother: How to Crack into Axis IP cameras
We found multiple vulnerabilities on Axis 2100 IP cameras affecting both
old firmware versions and the latest firmware (2.43).
The research is made of two components: a purple paper and a video. The
research doesn't just cover boring PoCs, but actual Hollywood-style
exploits :-) . Yes, this includes the classic attack in which the
legitimate video stream gets replaced by another stream that keeps
looping forever!
Why am I posting this to the webappsec mail list? Because the exploits
covered attack the web interface of these IP cameras.
More info can be found on:
http://www.procheckup.com/Vulnerability_2007.php
Regards,
AP.
-------------------------------------------------------------------------
Sponsored by: Watchfire
The Twelve Most Common Application-level Hack Attacks
Hackers continue to add billions to the cost of doing business online
despite security executives' efforts to prevent malicious attacks. This
whitepaper identifies the most common methods of attacks that we have seen,
and outlines a guideline for developing secure web applications.
Download today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701500000008rSe
--------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.5.488 / Virus Database: 269.13.32/1032 - Release Date: 9/26/2007
8:20 PM
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.488 / Virus Database: 269.13.32/1032 - Release Date: 9/26/2007
8:20 PM
DISCLAIMER:
The Family of Orange Lake Resorts does not accept legal responsibility for the
contents of this message. The Family of Orange Lake Resorts reserves the right
to monitor the transmission of this message and to take corrective action
against any misuse or abuse of its e-mail system or other components of its
network. The information contained in this e-mail is confidential and may be
legally privileged. It is intended solely for the addressee. If you are not
the intended recipient, any disclosure, copying, distribution, or any action or
act of forbearance taken in reliance on it, is prohibited and may be unlawful.
Any views expressed in this e-mail are those of the individual sender, except
where the sender has been duly authorized to specifically state the content of
the e-mail on behalf of The Family of Orange Lake Resorts. The recipient
should check this e-mail and any attachments for the presence of viruses. The
Family of Orange Lake Resorts accepts no liability for any damage caused by any
viruses transmitted by this e-mail.
-------------------------------------------------------------------------
Sponsored by: Watchfire
Cross-Site Scripting (XSS) is one of the most common application-level
attacks that hackers use to sneak into web applications today. This
whitepaper will discuss how traditional XSS attacks are performed, how to
secure your site against these attacks and check if your site is protected.
Cross-Site Scripting Explained - Download this whitepaper today!
https://www.watchfire.com/securearea/whitepapers.aspx?id=701700000009405
-------------------------------------------------------------------------
