Axis StorPoint contains a flaw that may allow a malicious user to bypass authorization for the administration interface. The issue is triggered when accessing a URL using directory traversal techniques. It is possible that the flaw may allow unauthorized users to reconfigure the device, resulting in a loss of integrity or availability.
Classification
Location:
Remote/Network Access Required
Attack Type:
Authentication Management,
Information Disclosure
Impact:
Loss of Integrity
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
OSVDB:
Web Related
Technical
http://[victim]/cd/../config/html/cnf_gi.htm
If you are not prompted for authentication, the StorPoint system is vulnerable.
Solution
Upgrade to version 4.28 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
infosec.se - Infosec