Details of VAR-200610-0509

ID

VAR-200610-0509

CVE

CVE-2006-5175

TITLE

TeraStation HD-HTGL series cross-site request forgery vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2006-000665

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in the administrative interface for the TeraStation HD-HTGL firmware 2.05 beta 1 and earlier allows remote attackers to modify configurations or delete arbitrary data via unspecified vectors. TeraStation HD-HTGL series provided by Buffalo, Inc. are hard disks for LAN connection and have administrative web interface. ---------------------------------------------------------------------- Want to work within IT-Security? Secunia is expanding its team of highly skilled security experts. We will help with relocation and obtaining a work permit. Currently the following type of positions are available: http://secunia.com/hardcore_disassembler_and_reverse_engineer/ ---------------------------------------------------------------------- TITLE: TeraStation HD-HTGL Series Cross-Site Request Forgery SECUNIA ADVISORY ID: SA22248 VERIFY ADVISORY: http://secunia.com/advisories/22248/ CRITICAL: Less critical IMPACT: Cross Site Scripting, Manipulation of data WHERE: >From remote OPERATING SYSTEM: TeraStation HD-HTGL Series http://secunia.com/product/12189/ DESCRIPTION: A vulnerability has been reported in TeraStation HD-HTGL Series, which can be exploited by malicious people to conduct cross-site request forgery attacks. The vulnerability is caused due to an error within the web administration interface, which allows to perform certain sensitive actions without verifying the user's request. This can be exploited to modify certain configuration sections or delete data stored on the device. The vulnerability is reported in firmware 2.05. Other versions may also be affected. SOLUTION: Do not visit untrusted sites while being logged in to the device. PROVIDED AND/OR DISCOVERED BY: Reported by JVN. ORIGINAL ADVISORY: http://jvn.jp/jp/JVN%2393484133/index.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 1.8

sources: NVD: CVE-2006-5175 // JVNDB: JVNDB-2006-000665 // VULHUB: VHN-21283 // PACKETSTORM: 50493

AFFECTED PRODUCTS

vendor:	buffalotech	model:	terastation hd-htgl	scope:	eq	version:	2.05_beta1	Trust: 1.6
vendor:	buffalo	model:	hd-htgl series	scope:	lte	version:	firmware ver. 2.05-beta-1	Trust: 0.8

sources: JVNDB: JVNDB-2006-000665 // CNNVD: CNNVD-200610-169 // NVD: CVE-2006-5175

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2006-5175
value:	HIGH
Trust: 1.0
IPA:	JVNDB-2006-000665
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-200610-169
value:	HIGH
Trust: 0.6
VULHUB:	VHN-21283
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2006-5175
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
IPA:	JVNDB-2006-000665
severity:	HIGH
baseScore:	7.0
vectorString:	AV:N/AC:H/AU:N/C:N/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-21283
severity:	HIGH
baseScore:	7.6
vectorString:	AV:N/AC:H/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	4.9
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-21283 // JVNDB: JVNDB-2006-000665 // CNNVD: CNNVD-200610-169 // NVD: CVE-2006-5175

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-21283 // JVNDB: JVNDB-2006-000665 // NVD: CVE-2006-5175

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200610-169

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-200610-169

CONFIGURATIONS

sources: JVNDB: JVNDB-2006-000665

PATCH

title:

Download Service

url:

http://buffalo.jp/download/driver/hd/hd-htgl.html

Trust: 0.8

sources: JVNDB: JVNDB-2006-000665

EXTERNAL IDS

db:	SECUNIA	id:	22248	Trust: 2.6
db:	NVD	id:	CVE-2006-5175	Trust: 2.5
db:	VUPEN	id:	ADV-2006-3891	Trust: 1.7
db:	XF	id:	29338	Trust: 1.4
db:	JVN	id:	JVN93484133	Trust: 0.8
db:	JVNDB	id:	JVNDB-2006-000665	Trust: 0.8
db:	CNNVD	id:	CNNVD-200610-169	Trust: 0.7
db:	JVN	id:	JVN#93484133	Trust: 0.6
db:	BID	id:	84566	Trust: 0.1
db:	VULHUB	id:	VHN-21283	Trust: 0.1
db:	PACKETSTORM	id:	50493	Trust: 0.1

sources: VULHUB: VHN-21283 // JVNDB: JVNDB-2006-000665 // PACKETSTORM: 50493 // CNNVD: CNNVD-200610-169 // NVD: CVE-2006-5175

REFERENCES

url:	http://jvn.jp/jp/jvn%2393484133/index.html	Trust: 1.8
url:	http://secunia.com/advisories/22248	Trust: 1.7
url:	http://www.frsirt.com/english/advisories/2006/3891	Trust: 1.4
url:	http://xforce.iss.net/xforce/xfdb/29338	Trust: 1.4
url:	http://www.vupen.com/english/advisories/2006/3891	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/29338	Trust: 1.1
url:	http://secunia.com/advisories/22248/	Trust: 0.9
url:	http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2006-5175	Trust: 0.8
url:	http://jvn.jp/en/jp/jvn93484133/index.html	Trust: 0.8
url:	http://nvd.nist.gov/nvd.cfm?cvename=cve-2006-5175	Trust: 0.8
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/product/12189/	Trust: 0.1
url:	http://secunia.com/hardcore_disassembler_and_reverse_engineer/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-21283 // JVNDB: JVNDB-2006-000665 // PACKETSTORM: 50493 // CNNVD: CNNVD-200610-169 // NVD: CVE-2006-5175

CREDITS

Secunia

Trust: 0.1

sources: PACKETSTORM: 50493

SOURCES

db:	VULHUB	id:	VHN-21283
db:	JVNDB	id:	JVNDB-2006-000665
db:	PACKETSTORM	id:	50493
db:	CNNVD	id:	CNNVD-200610-169
db:	NVD	id:	CVE-2006-5175

LAST UPDATE DATE

2024-08-14T15:04:33.974000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-21283	date:	2017-07-20T00:00:00
db:	JVNDB	id:	JVNDB-2006-000665	date:	2008-05-21T00:00:00
db:	CNNVD	id:	CNNVD-200610-169	date:	2006-10-10T00:00:00
db:	NVD	id:	CVE-2006-5175	date:	2017-07-20T01:33:34.930

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-21283	date:	2006-10-10T00:00:00
db:	JVNDB	id:	JVNDB-2006-000665	date:	2008-05-21T00:00:00
db:	PACKETSTORM	id:	50493	date:	2006-10-03T22:17:11
db:	CNNVD	id:	CNNVD-200610-169	date:	2006-10-10T00:00:00
db:	NVD	id:	CVE-2006-5175	date:	2006-10-10T04:06:00