Canon VB-C10R Network Camera Input Validation Flaw Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1008579|
SecurityTracker URL: http://securitytracker.com/id/1008579
(Links to External Site)
Date: Dec 31 2003
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Exploit Included: Yes |
Version(s): VB-C10R; Firmware 1.0 Rev. 21|
An input validation vulnerability was reported in the Canon VB-C10R Network Camera. A remote user can conduct cross-site scripting attacks.|
It is reported that the built-in web server does not filter user-supplied HTML from HTTP requests before displaying the user-supplied request URL when an invalid page is requested. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Network Camera and will run in the security context of the camera. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
The vendor was reportedly notified on November 28, 2003.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the network camera, access data recently submitted by the target user via web form to the camera, or take actions on the camera acting as the target user.|
No solution was available at the time of this entry.|
Vendor URL: www.canon.com/wvw/product/vbc10/index.htm (Links to External Site)
Input validation error|
Source Message Contents
Subject: [Full-Disclosure] XSS vulnerability in Canon webcam|
I ran a nessus security scan against our recently purchased Canon VB-C10R Network
Camera (remote controlled web-cam). It revealed the information listed below, which
includes a Cross Site Scripting vulnerability in the embedded web sever. I have
verified that this affects Opera 6 & 7, Mozilla Firebird 0.6.1, Netscape 4.x, 6 & 7, and
Mozilla 1.6b, but it does not effect my IE6sp1+, including NeoPlanet and Avant.
I have contacted Canon several times about this but I don't think they are too
concerned (and I don't have the experience to determine if this is a significant problem
or not; or if other web-cams are also vulnerable). Canon did not acknowledged any of
my emails or even the fax their customer support person asked me to send until finally
I was able to speak with a supervisor the next week who said they had received an
email and that it was going to being sent to their NY HQ, which would then send it to
their engineers in Japan. He didn't think I would hear anything for at least a couple of
weeks, if ever. I initially called them on Nov. 28th.
I would appreciate any comments on this issue.
<snip from Email to Canon>
...The Flash ROM Firmware for the camera was upgraded to the latest - ver. 1.0 Rev.
21 prior to the scan. The camera's s/n is 2510320297. Of these issues, item three is
of the most concern to me. Perhaps an upgrade to boa 0.94.13 <http://www.boa.org/>
may solve this problem? (I have not taken the time yet to further research this.)
Please let me know the status of this issue and your time line for resolution.
1) Service: http (80/tcp)
Severity: Low - The following directories were discovered:
The following directories require authentication:
/admin, /cgi-bin, /java, /support
2) Service: http (80/tcp)
The remote web server type is :
This web server was fingerprinted as Boa/0.92o
which is consistent with the displayed banner
Solution : We recommend that you configure (if possible) your web server to return
a bogus Server header in order to not leak information.
3) The remote web server seems to be vulnerable to the Cross Site Scripting
vulnerability (XSS). The vulnerability is caused by the result returned to the user when
The vulnerability would allow an attacker to make the server present the user with the
Since the content is presented by the server, the user will give it the trust level of the
server (for example, the trust level of banks, shopping centers, etc. would usually be
Sample url : http://198.182.xxx.xxx:80/<SCRIPT>alert('Vulnerable')</SCRIPT>.jsp
Risk factor : Medium
Department of Transportation
City of Tucson
Full-Disclosure - We believe in it.