Multiple vulnerabilities in Cisco Video Surveillance Operations Manager
Video conferencing is now becoming a flexible way to have meeting over internet and some magazines are using these systems to record all activities at their shops. this way to track any violation or a problem in their markets. An exploit has been published for the Cisco Video Surveillance Operations Manager version 6.3.2 that allow an attacker to conduct a local file inclusion, access to the system and view the attached cameras or a cross site scripting attack on the vulnerable servers.
cross site scripting is a vulnerability that allow a malicious user to redirect victim to a malicious webpage to steal sensitive information such as web sessions or cookies without victim knowledge and this is a very high risk vulnerability. this should be fixed by the server owner where the web application needs to perform validation for the inputs/outputs for its pages.
spying on the vulnerable server console is also possible where attacker can bypass the authentication using the following url string: http://serverip/broadware.jsp
Security measures for such system should be properly made on the network level to avoid any attack on affected servers this by creating VPN and restricting the access to these systems. While if you are using Cisco Video Surveillance Operations Manager version 6.3.2 you need to upgrade to a fixed version 7.x.
Link to the exploits: http://www.exploit-db.com/exploits/24786/