Info

Disclosure

Dec 30, 2003

Discovery

Dec 30, 2003

Dates

Exploit

Dec 30, 2003

Solution

Unknown

Description

The NETObserve PC surveillance software uses a web service to provide remote access to the monitored PC. This web service requires a username and password to access, however this authentication can be bypassed by specifying the cookie value of 'login=0'. Once access has been obtained, all features of the NetObserve system are available, including the ability to upload files and execute commands.

Classification

Unknown or Incomplete

Solution

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Configure the NETObserve service to only allow trusted IP addresses to connect.

Products

ExploreAnywhere Software	NETObserve	2.0
		2.8
		2.9

References

Secunia Advisory ID: 10511
Bugtraq ID: 9319
Other Advisory URL: http://www.elitehaven.net/netobserve.txt
Vendor URL: http://www.exploreanywhere.com/no-intro.php

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/3256

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

ExploreAnywhere Software

NETObserve

References

Credit