Archivo de Julio de 2006
Zyxel Prestige 660H-61 Cross Site Scripting
26 de Julio de 2006 | 
Autor: | Version: | Tested on Zyxel Prestige 660H-61 ZyNOS F/W Version: V3.40(PT.0)b32 | 1/28/2005 Standard:NORMAL |
|---|---|
| Discovered by: | José Ramón Palanco: jose.palanco(at)eazel(dot).es |
| Description: | Zyxel Prestige 660H-61 ADSL Router is vulnerable to a security vulnerability that allow Cross-Site Scripting attacks. Due to improper filtering, a remote attacker can cause a cross site scripting in this script: http://router/Forms/rpSysAdmin?a=%3Cscript%3Ealert(‘www.eazel.es’)%3C/script%3E keywords: advisory004-Zyxel-Prestige-660H-61-Cross-Site-Scripting.php |
Publicado en 
Etiquetas: 
Siemens SpeedStream 2624 Denial of Service Vulnerability
CVE Reference: CVE-2006-3907 (Links to External Site)
Updated: Jun 13 2008
Original Entry Date: Jul 26 2006
Impact: Denial of service via network
Version(s): Model 2624; possibly others
Description: A vulnerability was reported in SpeedStream. A remote user can cause denial of service conditions.
A remote user can send a specially crafted packet to the administrative web server to cause the target router to freeze. A reboot is necessary to return to normal operations.
The vendor was notified on May 4, 2006.
Jaime Blasco discovered this vulnerability.
The original advisory is available at:
http://www.digitalarmaments.com/2006310665340982.html
Impact: A remote user can cause the target device to freeze.
Solution: No solution was available at the time of this entry.
Vendor URL: www.siemens.com/ (Links to External Site)
Cause: Exception handling error
Reported By: info@digitalarmaments.com
Message History: None.
Flexwatch Authorization Bypassing and XSS Vulnerability
Description:
Multiple FlexWATCH Network Cameras are vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the built-in Web server. A remote attacker could exploit this vulnerability using unspecified scripts and parameters to execute arbitrary script in a victim’s Web browser within the security context of the affected device, allowing the attacker to steal the victim’s cookie-based authentication credentials.
*CVSS:
| Base Score: | 3.7 |
| Access Vector: | Remote |
| Access Complexity: | High |
| Authentication: | Not Required |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | None |
| Temporal Score: | 2.7 |
| Exploitability: | Unproven |
| Remediation Level: | Official-Fix |
| Report Confidence: | Confirmed |
Consequences:
Gain Access
Remedy:
Refer to the FlexWATCH Web site for patch information. See References.
References:
- BugTraq Mailing List, Mon Jul 10 2006 – 04:38:31 CDT : Digital Armaments Security Advisory 10.07.2006: Flexwath Authorization Bypassing and XSS Vulnerability.
- FlexWATCH Web site: FlexWATCH – Network Camera Server.
- BID-18936: FlexWATCH Network Camera Cross-Site Scripting Vulnerability
- CVE-2006-3603: Cross-site scripting (XSS) vulnerability in index.php in FlexWATCH Network Camera 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL.
- SA20994: FlexWATCH Network Camera FW-3400 Two Vulnerabilities
Leer el resto de esta entrada »