SecurityTracker: Xerox WorkCentre Pro Web Service Lets Remote Users Bypass Authentication, Obtain Files, Modify Web Pages, or Deny Service

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Xerox WorkCentre

Xerox WorkCentre Pro Web Service Lets Remote Users Bypass Authentication, Obtain Files, Modify Web Pages, or Deny Service

SecurityTracker Alert ID: 1014429

SecurityTracker URL: http://securitytracker.com/id/1014429

CVE Reference: CVE-2005-2200, CVE-2005-2201, CVE-2005-2202 (Links to External Site)

Updated: Jun 15 2008

Original Entry Date: Jul 8 2005

Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of user information, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): C2128, C2636, C3545

Description: Several vulnerabilities were reported in Xerox WorkCentre Pro in the embedded web server. A remote user may be able to gain access to the system or cause denial of service conditions

The vulnerabilities reside in the Xerox MicroServer Web Server code.

A remote user can bypass authentication.

A remote user can send a specially crafted HTTP request to gain unauthorized access to files on the target system or to cause denial of service conditions.

A remote user can exploit a cross-site scripting flaw to modify web pages.

Impact: A remote user can bypass authentication to gain access to the target system.

A remote user can cause denial of service conditions.

A remote user can modify web pages.

A remote user can obtain files on the target system.

Solution: The vendor has issued a patch, available at:

http://www.xerox.com/downloads/usa/en/c/cert_P22_NIAP_WCP_C_Only.zip

Instructions on applying the patch are contained in the vendor's advisory, available at:

http://www.xerox.com/downloads/usa/en/c/cert_XRX05_006.pdf

Vendor URL: www.xerox.com/downloads/usa/en/c/cert_XRX05_006.pdf (Links to External Site)

Cause: Access control error, Authentication error, Exception handling error, Input validation error

Underlying OS:

Message History: None.

Source Message Contents

Date: Fri, 8 Jul 2005 11:06:17 -0400
Subject: http://www.xerox.com/downloads/usa/en/c/cert_XRX05_006.pdf



> XEROX SECURITY BULLETIN XRX05-006
> Vulnerabilities in the Xerox MicroServer Web Server could potentially permit 
> unauthorized access.

> There are multiple vulnerabilities in the web server code that could allow 
> unauthorized access to the web server including:
> • Vulnerabilities that could bypass authentication.
> • Specially constructed HTTP requests can cause denial of service or allow 
>   unauthorized file access on an attacked machine.
> • Cross-site scripting allowing contents of web pages to be modified in an 
>   unauthorized manner.
> If successful, an attacker could make unauthorized changes to the system 
> configuration. Customer and user passwords are not exposed.

> WorkCentre® Pro
> C2128
> C2636
> C3545

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC