lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53611BC1.6000604@lsexperts.de>
Date: Wed, 30 Apr 2014 17:50:25 +0200
From: "LSE Leading Security Experts GmbH \(Security Advisories\)" <advisories@...xperts.de>
To: Bugtraq <bugtraq@...urityfocus.com>, fulldisclosure@...lists.org
Subject: LSE Leading Security Experts GmbH - LSE-2014-04-10 - Sitepark IES
 - Unauthenticated Access

=== LSE Leading Security Experts GmbH - Security Advisory 2014-04-10 ===

Sitepark Information Enterprise Server (IES) - Unauthenticated Access
---------------------------------------------------------------------

Affected Versions
=================
Information Enterprise Server (IES) Version 2.9 until 2.9.6

Issue Overview
==============
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: Sitepark GmbH
Credits: LSE Leading Security Experts GmbH employees
  Markus Vervier and Sascha Kettler
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-04-10.txt
Advisory Status: Public
CVE-Number: CVE-2014-3006

Issue Description
=================
While conducting a penetration test LSE Leading Security Experts GmbH
discovered that the installer of the Information Enterprise Server (IES)
was available to unauthenticated users over HTTP.

When updating from previous versions of IES, an installation form was not
disabled after installation. In this case the servlet "/ies/install" was
exposed to unauthenticated users.

By accessing the servlet at URI "/ies/install/" on an affected IES server,
an unauthenticated attacker was able to set a new password for the manager
account. Additionally sensitive information regarding the IES
installation was displayed.

Temporary Workaround and Fix
============================
LSE Leading Security Experts GmbH advises to prevent access to the
URI "/ies/install/" by configuring web servers or proxy servers accordingly.
For example using the Apache webserver a "Directory" directive would be
needed:

<Location /ies/install>
  Order Deny,Allow
  Deny from all
  Satisfy all
</Location>

A hotfix is available from the vendor via the automatic update functionality
for IES versions 2.9 until 2.9.6.

Impact
======
An attacker is able to learn the license key and sensitive directory names
of the IES. Additionally the password for the account "manager" can be
reset which grants full access rights with the management role.

According to the vendor this issue affects only installations that are
updated from previous versions of IES to versions 2.9 until 2.9.6.

History
=======
2014-04-02  Issue discovered
2014-04-03  Vendor informed by customer, Vendor released hotfix and
  updated managed installations
2014-04-16  Permission of customer for advisory
2014-04-16  Direct vendor contact
2014-04-22  Vendor reply
2014-04-27  CVE assigned
2014-04-30  Advisory publicly released


-- 
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel: +49 6151 86086-0, Fax: -299
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschaeftsfuehrer: Oliver Michel, Sven Walther


Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ