SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (Printer)  >   Xerox Document Centre Vendors:   Xerox
Xerox Document Centre Input Validation Flaw in 'hostname' Parameter Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017337
SecurityTracker URL:  http://securitytracker.com/id/1017337
CVE Reference:   CVE-2006-6427   (Links to External Site)
Updated:  May 22 2008
Original Entry Date:  Dec 5 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 220, 230, 240, 255, 265, 332, 340, 420, 425, 426, 430, 432, 440, 460, 470, 480, 490, 535, 545, 555
Description:   A vulnerability was reported in Xerox Document Centre. A remote user can execute arbitrary code on the target system.

The web user interface does not properly validate the user-supplied hostname parameter. A remote user can send specially crafted data to bypass authentication and execute arbitrary code on the target system. The code will run with the privileges of the target service.

The vulnerability resides in the ESS/Network Controller and MicroServer Web Server.

Document Centre models 220, 230, 240, 255, 265, 332, 340, 420, 425, 426, 430, 432, 440, 460, 470, 480, 490, 535, 545, and 555 are affected.

The vendor credits Brendan O'Connor with reporting similar vulnerabilities.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix.

The Xerox advisory is available at:

http://www.xerox.com/downloads/usa/en/c/cert_XRX06_007_v1.pdf

Vendor URL:  www.xerox.com/downloads/usa/en/c/cert_XRX06_007_v1.pdf (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC