Information Assurance

Jonathan Alston


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Flex Watch

Media Analysis -
FlexWATCH-Webs 2.2 (NTSC)

Authorization Bypass

back to bugtraq analyses page

Bugtraq email: FlexWATCH-Webs 2.2 (NTSC) Authorization Bypass
Link: http://www.securityfocus.com/archive/1/354991

FlexWATCH is used as for remote administration and for security surveillance server. Security cameras servers should not be accessible to anyone but the administrator.

This is a case of authorization bypass which can be exploited remotely using a browser. The authorization bypass is caused by the use of double slash when referring to files on the host server.

Using each one of the following links, substituting parenthesis for angle brackets, will allow anyone full control over the server:
http://(host)//app/idxam.html
http://(host)//app/idxas.html
http://(host)//app/idxasp.html
http://(host)//admin/aindex.htm
http://(host)//live.html

If an attacker will request the following url from the server(substituting parenthesis for angle brackets where appropriate): http://(host)/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (scripts) alert('xss') (/scripts) XSS appears and the server allows an attacker to inject & execute scripts.

This vulnerability can allow attackers to rewrite the contents of the webpage by injecting scripts to it.

This works because Flex Watch contains a vulnerability in its URL filter which allows a remote attacker to bypass the filter by using double slash characters (//) in the URL request. Therefore, an attacker can execute all sorts of nasty things.

In the words of securityfocus.com:

If all of these circumstances are met, an attacker may be able to exploit this issue via a malicious link containing arbitrary HTML and script code as part of the hostname. When the malicious link is clicked by an unsuspecting user, the attacker-supplied HTML and script code will be executed by their web client. This will occur because the server will echo back the malicious hostname supplied in the client's request, without sufficiently escaping HTML and script code.

Attacks of this nature may make it possible for attackers to manipulate web content or to steal cookie-based authentication credentials. It may be possible to take arbitrary actions as the victim user.

This authorization bypass can be presented by combining the software with other supporting software and hardware to implement various types of solution for remote monitoring and security.