Details of VAR-200811-0451

ID

VAR-200811-0451

TITLE

3Com AP 8760 bypasses authentication, leaking passwords, and SNMP injection vulnerabilities

Trust: 0.6

sources: CNVD: CNVD-2008-5684

DESCRIPTION

3Com Wireless 8760 Dual-Radio 11a/b/g PoE is a wireless access router for all types of businesses. The HTTP authentication mechanism of the 3Com AP 8760 is as follows: 1. The router checks whether the credentials submitted by the user are valid. 2. If valid, the router's web interface redirects the user to a URL that is only available to authenticated administrative users. Each time an authenticated URL is accessed, no authentication data is sent in the HTTP request, including the password or session ID. The AP simply uses the administrator's source IP address as the authentication data. That is to say, the authentication status only depends on the assumption that the attacker does not know the URL after authentication and the administrator does not share the same source IP address. As long as the administrator URL is accessed from a browser with the same IP address (such as by sharing the same proxy or NAT IP address), the authentication check can be completely bypassed. If you submit a malicious request to the 3Com AP 8760 router, you may also return sensitive data, including the administrator password, on some pages. When changing the system name via SNMP, if a cross-site scripting load is injected on a page such as a login page, the administrator password can be redirected to its own site by overwriting the operational properties of the login form. Successfully exploiting these issues will allow an attacker to obtain administrative credentials, bypass security mechanisms, or run attacker-supplied HTML and script code in the context of the web administration interface. The attacker may then be able to steal cookie-based authentication credentials or control how the site is rendered to the user; other attacks are also possible

Trust: 0.81

sources: CNVD: CNVD-2008-5684 // BID: 32358

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2008-5684

AFFECTED PRODUCTS

vendor:	no	model:	-	scope:	-	version:	-	Trust: 0.6
vendor:	3com	model:	wireless dual-radio 11a/b/g poe	scope:	eq	version:	87600	Trust: 0.3

sources: CNVD: CNVD-2008-5684 // BID: 32358

CVSS

SEVERITY

CVSSV2

CVSSV3

CNVD:	CNVD-2008-5684
value:	HIGH
Trust: 0.6

CNVD:	CNVD-2008-5684
severity:	HIGH
baseScore:	8.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:C/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	COMPLETE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	7.8
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

sources: CNVD: CNVD-2008-5684

THREAT TYPE

network

Trust: 0.3

sources: BID: 32358

TYPE

Unknown

Trust: 0.3

sources: BID: 32358

EXTERNAL IDS

db:	BID	id:	32358	Trust: 0.9
db:	CNVD	id:	CNVD-2008-5684	Trust: 0.6

sources: CNVD: CNVD-2008-5684 // BID: 32358

REFERENCES

url:	http://marc.info/?l=bugtraq&m=122712502118280&w=2	Trust: 0.6
url:	/archive/1/498489	Trust: 0.3
url:	http://www.3com.com/products/en_us/detail.jsp?pathtype=purchase&tab=features&sku=3crwe876075	Trust: 0.3

sources: CNVD: CNVD-2008-5684 // BID: 32358

CREDITS

Adrian Pastor of ProCheckUp Ltd

Trust: 0.3

sources: BID: 32358

SOURCES

db:	CNVD	id:	CNVD-2008-5684
db:	BID	id:	32358

LAST UPDATE DATE

2022-05-17T01:41:48.159000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2008-5684	date:	2015-01-07T00:00:00
db:	BID	id:	32358	date:	2008-11-19T18:04:00

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2008-5684	date:	2008-11-19T00:00:00
db:	BID	id:	32358	date:	2008-11-19T00:00:00