Vulnerability Note VU#574739

Beck GmbH IPC@Chip does not adequately validate user input thereby disclosing sensitive network data via crafted URL

Original Release date: 14 Sep 2001 | Last revised: 09 Apr 2003

Overview

An insecure default configuration in the Beck IPC@CHIP allows an intruder to obtain priviledged system information.

Description

The Beck IPC@CHIP is a single chip embedded webserver. The Beck IPC@CHIP ships with a cgi script named "ChipCfg". Using a specially crafted url, an attacker can cause this cgi script to return sensitive network configuration data stored on the IPC@CHIP.

Impact

An intruder can gain access to sensitive network data stored on the IPC@CHIP.

Solution

According to Ernest Schloesser of Beck IPC GmbH, the API allows removal of this CGI with the CGI_REMOVE function.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Beck GmbHAffected21 May 200117 Jul 2002
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was discovered by Sentry Research Labs.

This document was written by Ian A. Finlay.

Other Information

  • CVE IDs: CAN-2001-1341
  • Date Public: 24 May 2001
  • Date First Published: 14 Sep 2001
  • Date Last Updated: 09 Apr 2003
  • Severity Metric: 6.75
  • Document Revision: 14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.