* Xerox WorkCentre Printers Web Interface 21.120.39.000
Vulnerability 1: Backdoor to Mailboxes
For some reasons, Xerox decided to integrate a backdoor into the scan system of the WorkCentre 5665 / 5675 / 5678 web interface. Scan folders ("mailboxes") can be protected with a password. The documentation says on folder passwords:
"A folder password may or may not be required depending on the Scan Policies set by the administrator. If a password is required to create a folder, type the password here. If no password is required by the Scan Policies, you can optionally choose whether or not to password protect your folder."
Some files require a job password. If someone tries to access a private folder without logging in previously, this does not work since a cookie is compared to a precomputed checksum. However there is a script named "YoUgoT_It.php" that creates the correct checksum for any folder. By simply calling the script with the folder name as argument, an attacker can access any folder.
Here is the relevant code from the file folder.php that allows access, if the checksum is correct:
/* see if the private folder is trying to be accessed, without
logging in previously; this can be done by checking to see if
the cookie matches the computed "checksum" */
if ( $gFolderName === $_SESSION['MBOX_FOLDER'] )
// continue on as this is okay
elseif (( false === isset( $_COOKIE[$gFolderName] )) ||
( $theChecksum !== $_COOKIE[$gFolderName] ))
header( "Location: /mailbox/pin.php?" . NAME_KEY .
"=" . $gFolderName ); exit;
Vulnerability 2: Authentication not validated
In multiple instances, when a password is required to access certain pages, the developers seemed to forget the vital "die()" or "exit()" statement after the redirect. This allows an attacker access to multiple pages that would require authentication.
Here are a couple of examples:
As you can see from the code, if the user is logged in, but not an administrator, he is correctly denied access. However if the user is not logged in at all, only a Location-header is sent, but the rest of the script can continue to run.
The very same vulnerability can be found in many cases. In some cases, the authentication is also only in the page that provides only the frameset. The actual content-pages can be called without any authentication at all.