Main Vulnerability Database Exploits ID:1839 - Exploit for Authorization bypass in Axis Communications video cameras - CVE-2018-10661

ID:1839 - Exploit for Authorization bypass in Axis Communications video cameras - CVE-2018-10661

Published: March 18, 2020

Vulnerability identifier: #VU13384

Vulnerability risk: Low

CVE-ID: CVE-2018-10661

CWE-ID: CWE-862

Exploitation vector: Remote access

Vulnerable software:
Axis Communications video cameras

Link to public exploit:

https://www.rapid7.com/db/modules/exploit/linux/http/axis_srv_parhand_rce

Vulnerability description

The vulnerability allows a remote attacker to bypass authorization on the target system.

The weakness exists in mod_authz_axisgroupfile.so: a custom authorization module for Apache httpd that was written by the vendor due to insufficient validation of user-supplied input. A remote attacker can send unauthenticated requests to a world-readable file that are followed by a backslash and end with the .srv extension that are treated by the authorization code as standard requests to the index.html and thus granted access and bypass the web-server’s authorization mechanism.

Remediation

Install update from vendor's website.

ID:1839 - Exploit for Authorization bypass in Axis Communications video cameras - CVE-2018-10661

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human