© Neurowork™ 2010. Todos los derechos reservados.
Syb Security
es una unidad de negocio de Neurowork™ |
Otras unidades de negocio
Acerca de Neurowork™ | Mapa del sitio | Términos de uso | Marcas registradas | Política de privacidad | Comentarios
redlink Buscar
 redlink Seleccione Idioma
print e-mail sitemap
Bookmark and Share

Advisories

SYBSEC-ADV14: March Networks DVR 3204 Logfile Information Disclosure

Title
March Networks DVR 3204 Logfile Information Disclosure
ID
SYBSEC-ADV14
Severity
HIGH
History
09.FEB.2007 Vulnerability discovered
25.NOV.2007 Vendor contacted
Scope
Information Disclosure
Platforms
March Networks DVR 3204
Author
URL
http://www.sybsecurity.com/advisors/SYBSEC-ADV14-March_Networks_DVR_3204_Logfile_Information_Disclosure
Release
Public
Overview
DVRs are basically mini-PCs that allow a user to record TV broadcasts, cable, or DirectTV transmissions, depending on the model, in digital form on a hard drive located inside the recorder.
Affected versions
The vulnerability has been reported in versions March Networks

DVR version 3204
Description
Since configuration of the IP address, user console and root is carried out over the "administrator console", the vulnerability lies within Watchdog's HTTP server application.
Workaround
Upgrade the sofware version you can download from:
http://www.marchnetworks.com
Acknowledgments
This vulnerability have been found and researched by:
- Alex Hernandez <ahernandez [at] sybsecurity [dot] com>
References
* MarchNetworks: http://www.marchnetworks.com
* SYB Security: http://www.sybsecurity.com
Details
Any user can obtain the log files without authentication by accessing the following PATH http:/dvraddress/scripts/logfiles.tar.gz. The intruder can then uncompress the tar file and access the config.dat to reveal username and passwords, names of devices, and IP addresses of other security components attached to the corporate network
Exploit tool