Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:31578
HistoryDec 29, 2014 - 12:00 a.m.

Vulnerabilities in Samsung SyncThru Web Service

2014-12-2900:00:00
vulners.com
64

Hello 3APA3A!

There are Information Leakage and Insufficient Authorization vulnerabilities in SyncThru Web Service. This is web application for Samsung printers, particularly I found it with Samsung ML-1865W and other printers. Earlier I informed Samsung about it.


Affected products:

Vulnerable are SyncThru Web Service, Network Firmware 6.01 and previous versions (there are 7 different firmware in Samsung ML-1865W, as stated at Firmware Version page).


Details:

Information Leakage (WASC-13):

http://site
http://site:631

There is access without authorization to information about all settings of the printer (read only).

Insufficient Authorization (WASC-02):

In section Print Information it's possible to print test documents without authorization. Thus without login and password it's possible to waste paper and cartridge of the printer.

Also I found other Samsung printers (with earlier version of firmware), where function Direct Print was accessible without authorization. Which allows to print arbitrary documents.

I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7513/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua