Info

Disclosure

Feb 18, 2005

Discovery

Unknown

Dates

Exploit

Feb 18, 2005

Solution

Unknown

Description

TrackerCam contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that login requests are logged without sanitization, allowing an attacker to inject arbitrary HTML or scripting in the username / password fields. When the logs are reviewed by an administrator via the TrackerCam interface, the HTML and/or script will be rendered in the admin's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

Eagletron Inc.

TrackerCam

5.12

References

Security Tracker: 1013238
Related OSVDB ID: 13952 13953 13954 13955 13957 13958
Secunia Advisory ID: 14344
CVE ID: 2005-0480 (see also: NVD)
Other Advisory URL: http://aluigi.altervista.org/adv/tcambof-adv.txt
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0388.html
Vendor URL: http://www.trackercam.com

Credit

Luigi Auriemma - aluigiautistici.org - http://aluigi.altervista.org

Direct URL: http://osvdb.org/36218