Info

Disclosure

Dec 28, 2007

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

March Networks 3204 DVR contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when specific logfiles are downloaded, which contain sensitive information by accessing a specific URL resulting in a loss of confidentiality.

Classification

Location: Local Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality, Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public
Disclosure: Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, March Networks has released a patch to address this vulnerability.

Products

March Networks

3204 DVR

N/A

References

CVE ID: 2007-6638 (see also: NVD)
Bugtraq ID: 27054
Secunia Advisory ID: 28211
Milw0rm: 4797
Exploit Database: 4797
Generic Exploit URL: http://www.milw0rm.com/papers/190
Other Advisory URL: http://www.sybsecurity.com/advisors/SYBSEC-ADV14-March_Networks_DVR_3204_Logfile_Information_Disclosure
http://www.sybsecurity.com/pages/advisors/static/dvr3204_exp.txt
http://www.sybsecurity.com/resources/static/An_Insecurity_Overview_of_the_March_Networks_DVR-CCTV_3204.pdf

Credit

Alex Hernandez - ahernandezsybsecurity.com - SYB Security

Direct URL: http://osvdb.org/39726