ID
VAR-200412-0547
CVE
CVE-2004-2326
TITLE
IP3 Networks IP3 NetAccess Appliance SQL Inject the vulnerability.
Trust: 0.6
DESCRIPTION
SQL injection vulnerability in IP3 Networks NetAccess Appliance before firmware 3.1.18b13 allows remote attackers to bypass authentication via the (1) login or (2) password. NOTE: this issue was later reported to also affect firmware 4.0.34. The IP3 NetAccess Appliance is reported prone to a remote SQL-injection vulnerability. This issue is due to the application's failure to properly sanitize user input. This issue may allow an attacker to gain full control of the appliance through the network-administration interface. The attacker may also be able to influence database queries to view or modify sensitive information, potentially compromising the system or the database. -------------------- KPMG recommends that owners of a NetAccess NA75 take steps to ensure the security of the device, and that IP3 Networks is contacted to acquire the new firmware that includes the patches for the issues described. IP3 Networks has requested that customers contact IP3 through http://www.ip3.com/supportoverview.htm. Product: NA75 and possibly others Revision: na-img-4.0.34.bin Vendor Status: notified, verified and patch available from 1 April 2006 Risk: High Remote: Yes Local: Yes --------------------- ISSUE 1: Various SQL injection vulnerabilities in the HTTP user interface Due to the absence of user input validation, attackers can embed SQL commands and queries into various HTTP forms. The impact of this is that attackers can login into the unit by specifying username 'admin' and password ' OR "1=1';--. However, as can be seen from the above info, we have found the vulnerability to be present in firmware 4.0.34. ISSUE 2: Unix command injection vulnerability in command line interface Due to the absence of user input filtering in the command line interface, attackers can embed Unix commands in certain parameters by passing the commands in the unix shell substitution characters '`'. ISSUE 3: No mandatory default password change on first login The default username and password 'admin'/'admin' do not have to be changed at first login. This greatly increases the chance of the password remaining 'admin' after install. ISSUE 4: World readable shadow password file The shadow password file contains the encrypted passwords for all users on the system. Password crackers can be used on this file to obtain the plaintext passwords for users. ISSUE 5: NetAccess database file world readable and writable The permission settings on the NetAccess database file allow all unix users read and write access to the file, thereby allowing potentially sensitive customer information to be disclosed. Ralph Moonen, CISSP Manager KPMG Information Risk Management Amstelveen, The Netherlands -------------------------------------------------------------------------------------------------------------------------------------------- De informatie verzonden met dit e-mailbericht (en bijlagen) is uitsluitend bestemd voor de geadresseerde(n) en zij die van de geadresseerde(n) toestemming hebben dit bericht te lezen. Gebruik door anderen dan geadresseerde(n) is verboden. De informatie in dit e-mailbericht (en de bijlagen) kan vertrouwelijk van aard zijn en kan binnen het bereik vallen van een geheimhoudingsplicht. KPMG is niet aansprakelijk voor schade ten gevolge van het gebruik van elektronische middelen van communicatie, daaronder begrepen -maar niet beperkt tot- schade ten gevolge van niet aflevering of vertraging bij de aflevering van elektronische berichten, onderschepping of manipulatie van elektronische berichten door derden of door programmatuur/apparatuur gebruikt voor elektronische communicatie en overbrenging van virussen en andere kwaadaardige programmatuur. Any information transmitted by means of this e-mail (and any of its attachments) is intended exclusively for the addressee or addressees and for those authorized by the addressee or addressees to read this message. Any use by a party other than the addressee or addressees is prohibited. The information contained in this e-mail (or any of its attachments) may be confidential in nature and fall under a duty of non-disclosure. KPMG shall not be liable for damages resulting from the use of electronic means of communication, including -but not limited to- damages resulting from failure or delay in delivery of electronic communications, interception or manipulation of electronic communications by third parties or by computer programs used for electronic communications and transmission of viruses and other malicious code. --------------------------------------------------------------------------------------------------------------------------------------------
Trust: 1.35
AFFECTED PRODUCTS
| vendor: | ip3 | model: | netaccess - wireless hotspots | scope: | eq | version: | * | Trust: 1.0 |
| vendor: | ip3 | model: | netaccess | scope: | eq | version: | * | Trust: 1.0 |
| vendor: | ip3 | model: | netaccess - hospitality | scope: | eq | version: | * | Trust: 1.0 |
| vendor: | ip3 | model: | netaccess | scope: | - | version: | - | Trust: 0.6 |
| vendor: | ip3 | model: | netaccess - wireless hotspots | scope: | - | version: | - | Trust: 0.6 |
| vendor: | ip3 | model: | netaccess - hospitality | scope: | - | version: | - | Trust: 0.6 |
| vendor: | ip3 | model: | networks na75 | scope: | eq | version: | 4.0.34 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess wireless isps & mdus | scope: | eq | version: | -4.0.34 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess wireless isps & mdus b13 | scope: | eq | version: | -3.1.18 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess wireless isps & mdus | scope: | eq | version: | - | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess wireless hotzones & small hotels | scope: | eq | version: | -4.0.34 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess wireless hotzones & small hotels b13 | scope: | eq | version: | -3.1.18 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess wireless hotzones & small hotels | scope: | eq | version: | - | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess wireless hotspots | scope: | eq | version: | -4.0.34 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess wireless hotspots b13 | scope: | eq | version: | -3.1.18 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess wireless hotspots | scope: | eq | version: | - | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess hospitality | scope: | eq | version: | -4.0.34 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess hospitality b13 | scope: | eq | version: | -3.1.18 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess hospitality | scope: | eq | version: | - | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess campus and mdus | scope: | eq | version: | -4.0.34 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess campus and mdus b13 | scope: | eq | version: | -3.1.18 | Trust: 0.3 |
| vendor: | ip3 | model: | networks ip3 netaccess campus and mdus | scope: | eq | version: | - | Trust: 0.3 |
CVSS
SEVERITY | CVSSV2 | CVSSV3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|
PROBLEMTYPE DATA
| problemtype: | NVD-CWE-Other | Trust: 1.0 |
THREAT TYPE
remote
Trust: 0.6
TYPE
SQL injection
Trust: 0.6
EXPLOIT AVAILABILITY
EXTERNAL IDS
| db: | BID | id: | 9858 | Trust: 2.1 |
| db: | NVD | id: | CVE-2004-2326 | Trust: 1.7 |
| db: | CNNVD | id: | CNNVD-200412-1019 | Trust: 0.7 |
| db: | BUGTRAQ | id: | 20060424 MULTIPLE VULNERABILITIES IN IP3 NETWORKS 'NETACCESS' NA75 APPLIANCE | Trust: 0.6 |
| db: | XF | id: | 3 | Trust: 0.6 |
| db: | XF | id: | 26106 | Trust: 0.6 |
| db: | EXPLOIT-DB | id: | 23808 | Trust: 0.1 |
| db: | SEEBUG | id: | SSVID-77557 | Trust: 0.1 |
| db: | VULHUB | id: | VHN-10754 | Trust: 0.1 |
| db: | PACKETSTORM | id: | 45883 | Trust: 0.1 |
REFERENCES
| url: | http://www.securityfocus.com/bid/9858 | Trust: 1.8 |
| url: | http://www.securityfocus.com/archive/1/432007/100/0/threaded | Trust: 1.1 |
| url: | https://exchange.xforce.ibmcloud.com/vulnerabilities/26106 | Trust: 1.1 |
| url: | http://www.securityfocus.com/archive/1/archive/1/432007/100/0/threaded | Trust: 0.6 |
| url: | http://xforce.iss.net/xforce/xfdb/26106 | Trust: 0.6 |
| url: | http://www.ip3.com/ | Trust: 0.3 |
| url: | /archive/1/432007 | Trust: 0.3 |
| url: | http://www.ip3.com/supportoverview.htm. | Trust: 0.1 |
CREDITS
Discovery of this issue is credited to Syam Yanuar <sy4m@yahoo.com>.
Trust: 0.9
SOURCES
| db: | VULHUB | id: | VHN-10754 |
| db: | BID | id: | 9858 |
| db: | PACKETSTORM | id: | 45883 |
| db: | CNNVD | id: | CNNVD-200412-1019 |
| db: | NVD | id: | CVE-2004-2326 |
LAST UPDATE DATE
2024-08-14T13:13:24.034000+00:00
SOURCES UPDATE DATE
| db: | VULHUB | id: | VHN-10754 | date: | 2018-10-19T00:00:00 |
| db: | BID | id: | 9858 | date: | 2006-04-26T20:26:00 |
| db: | CNNVD | id: | CNNVD-200412-1019 | date: | 2006-06-15T00:00:00 |
| db: | NVD | id: | CVE-2004-2326 | date: | 2018-10-19T15:30:54.307 |
SOURCES RELEASE DATE
| db: | VULHUB | id: | VHN-10754 | date: | 2004-12-31T00:00:00 |
| db: | BID | id: | 9858 | date: | 2004-03-12T00:00:00 |
| db: | PACKETSTORM | id: | 45883 | date: | 2006-04-29T00:33:05 |
| db: | CNNVD | id: | CNNVD-200412-1019 | date: | 2004-12-31T00:00:00 |
| db: | NVD | id: | CVE-2004-2326 | date: | 2004-12-31T05:00:00 |