lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <D44C2D32-EDE6-4229-92BB-90F6230A5998@Christian-Schneider.net>
Date: Sun, 1 Jun 2014 21:37:12 +0200
From: Christian Schneider <mail@...istian-Schneider.net>
To: bugtraq@...urityfocus.com
Subject: CVE-2014-2233 - "Server-Side Request Forgery" (CWE-918) vulnerability in "infoware MapSuite"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



CVE-2014-2233
===================
"Server-Side Request Forgery" (CWE-918) vulnerability in "infoware MapSuite"


Vendor
===================
infoware GmbH


Product
===================
MapSuite


Affected versions
===================
This vulnerability affects versions of MapSuite MapAPI prior to 1.0.36 and 1.1.49


Fixed versions
===================
MapSuite MapAPI 1.0.36 and 1.1.49 
Both patches are available since 2014-03-26.


Reported by
===================
This issue was reported to the vendor by Christian Schneider (@cschneider4711) 
following a responsible disclosure process.


Severity
===================
Medium


Exploitability
===================
No authentication required


Description
===================
Using a specially crafted URL to access the MapAPI it is possible to issue 
HTTP(S) GET requests originating from the attacked server (behind the firewall) 
and to read the response. This enables attackers to access web servers that are not
exposed to be accessed from the internet and thus allows to pivot further into the
targeted network.


Proof of concept
===================
Due to the responsible disclosure process chosen and to not harm unpatched systems, 
no concrete exploit code will be presented in this advisory.


Migration
===================
MapSuite MapAPI 1.0.x users should upgrade to 1.0.36 or later as soon as possible.
MapSuite MapAPI 1.1.x users should upgrade to 1.1.49 or later as soon as possible.


See also
===================
CVE-2014-2232 as another vulnerability in the same module, which can be exploited 
as an Absolute Path Traversal via the same input parameter.


Timeline
===================
2014-02-20        Vulnerability discovered
2014-02-20        Vulnerability responsibly reported to vendor
2014-02-21        Reply from vendor acknowledging report
2014-02-26        Reply from vendor with first patch (version 1.0.34 and 1.1.47)
meanwhile         Testing of the patch by the reporting researcher (Christian Schneider)
2014-03-20        Reported to vendor that first patch could by bypassed
meanwhile         Conversation about fix strategies between vendor and reporting researcher
2014-03-26        Reply from vendor with updated patch (version 1.0.36 and 1.1.49)
meanwhile         Verification of the patch by reporting researcher + vendor informed customers
2014-06-01        Advisory published in coordination with vendor via BugTraq


References
===================
http://www.christian-schneider.net/advisories/CVE-2014-2233.txt



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAlOLV74ACgkQXYAsOfddvFPrWgCgjqejfrV/Ro2b8aC4RQ+UHdGG
AoEAmgN82HZQgDspcd25PJxSBxXWalBw
=nu9C
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ