Vulnerability Note VU#251133
S2 NetBox allows unauthenticated HTTP access to node logs, backups, and employee photographs
S2 NetBox and related products do not adequately restrict access to node logs, backups, and employee photographs. A remote, unauthenticated attacker could use information obtained from a vulnerable system to aid in further attacks.
S2 NetBox is a line of "...open architecture, scalable, IP network-ready products for the physical security industry that integrate access control, alarm monitoring, video surveillance, and temperature monitoring." S2 Netbox systems are operated entirely via a web interface.
The Netbox web server does not properly authenticate access to several directories, allowing an unauthenticated attacker to access network node logs, employee photographs, and backup archives.
An unauthenticated, remote attacker can access node logs, backups, and employee photographs. An attacker may be able to crack passwords contained in a backup and gain administrative control over the system. Node logs and employee photographs could provide an attacker with reconnaissance information.
Upgrade or patch
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Linear LLC||Affected||-||25 May 2010|
|S2 Security||Affected||23 Mar 2010||12 May 2010|
|Sonitrol||Affected||-||09 Jul 2010|
CVSS Metrics (Learn More)
These vulnerabilities were researched and reported by Shawn Merdinger. Thanks to S2 Security for information used in this document.
This document was written by Art Manion.
- CVE IDs: CVE-2010-2466
- Date Public: 24 Jun 2010
- Date First Published: 24 Jun 2010
- Date Last Updated: 09 Jul 2010
- Severity Metric: 2.63
- Document Revision: 31
If you have feedback, comments, or additional information about this vulnerability, please send us email.