Xerox Document Centre security bypass

xerox-document-security-bypass (19661) The risk level is classified as HighHigh Risk

Description:

Xerox Document Centre could allow a remote attacker to bypass security, caused by an unspecified vulnerability in the Web server code on the ESS/Network Controller. A remote attacker could use this vulnerability to bypass security and gain unauthorized access to the Web server directory structure.

Platforms Affected:

  • Xerox, Document Centre 220
  • Xerox, Document Centre 230
  • Xerox, Document Centre 240
  • Xerox, Document Centre 255
  • Xerox, Document Centre 265
  • Xerox, Document Centre 332
  • Xerox, Document Centre 340
  • Xerox, Document Centre 420
  • Xerox, Document Centre 425
  • Xerox, Document Centre 426
  • Xerox, Document Centre 430
  • Xerox, Document Centre 432
  • Xerox, Document Centre 440
  • Xerox, Document Centre 460
  • Xerox, Document Centre 470
  • Xerox, Document Centre 480
  • Xerox, Document Centre 490
  • Xerox, Document Centre 535
  • Xerox, Document Centre 545
  • Xerox, Document Centre 555

Remedy:

Apply the P16_HTTP Access Patch DC4xx_5xx, as listed in XEROX Security Bulletin XRX05-003. See References.

Consequences:

Bypass Security

References:

  • Xerox Office Customer Support Web page, Xerox Office Customer Support at http://www.office.xerox.com/support/.
  • XEROX SECURITY BULLETIN XRX05-003, Vulnerability in the http server on the ESS/Network Controller at http://www.xerox.com/downloads/usa/en/c/cert_XRX05_003.pdf.
  • BID-12783: Xerox Document Centre ESS/Network Controller Web Server Remote Authentication Bypass Vulnerability
  • CVE-2005-1936: Unknown vulnerability in the web server for the ESS/ Network Controller for Xerox Document Centre 240 through 555 running System Software 27.18.017 and earlier allows attackers to gain unauthorized access.
  • SA14556: Xerox Document Centre Web Server Unauthorised Access Vulnerability
  • VUPEN/ADV-2005-0255: Xerox Document Centre Web Server Unauthorised Access Vulnerability

Reported:

Mar 11, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page