SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Printer)  >   Xerox Document Centre Vendors:   Xerox
Xerox Document Centre MicroServer Web Server Bugs Let Remote Users Bypass Authentication, View Files, and Deny Service
SecurityTracker Alert ID:  1014720
SecurityTracker URL:  http://securitytracker.com/id/1014720
CVE Reference:   CVE-2005-2645, CVE-2005-2646, CVE-2005-2647   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 17 2005
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 220, 230, 240, 255, 265, 332, 340, 420, 425, 426, 430, 432, 440, 460, 470, 480, 490, 535, 545, 555.
Description:   Several vulnerabilities were reported in the Xerox Document Centre in the MicroServer Web Server component. A remote user can bypass authentication, access files on the target system, deny service, and conduct cross-site scripting attacks.

A remote user can bypass web server authentication.

A remote user can send specially crafted HTTP request to cause denial of service conditions or to view files on the target system.

A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Document Centre system and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the system, access data recently submitted by the target user via web form to the system, or take actions on the system acting as the target user.

Impact:   A remote user can bypass authentication.

A remote user can access files on the target system.

A remote user can deny service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Document Centre system, access data recently submitted by the target user via web form to the system, or take actions on the system acting as the target user.

Solution:   The vendor has issued a fix, available at:

http://www.xerox.com/downloads/usa/en/c/cert_P24_MicroServer_Web_Server_Patch.zip

http://www.xerox.com/downloads/usa/en/c/cert_P25_MicroServer_Web_Server_Patch.zip

To determine which fix applies, see the vendor's advisories at:

http://www.xerox.com/downloads/usa/en/c/cert_XRX05_008.pdf
http://www.xerox.com/downloads/usa/en/c/cert_XRX05_009.pdf

Vendor URL:  www.xerox.com/downloads/usa/en/c/cert_XRX05_008.pdf (Links to External Site)
Cause:   Access control error, Authentication error, Exception handling error, Input validation error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC