lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <64892268E6E1E3419169504697FC7E555B1B7C@MXBE02.fhs-hagenberg.ac.at>
Date: Wed, 1 Jul 2009 08:12:58 +0200
From: "Kirchner Michael" <sec08003@...hagenberg.at>
To: <full-disclosure@...ts.grok.org.uk>
Subject: phion airlock Web Application Firewall:

 

Security Advisory

---------------------------------------

Vulnerable Software:     phion airlock Web Application Firewall

Vulnerable Version:        4.1-10.41

Homepage:                        http://www.phion.com/

Found by:                            Michael Kirchner, Wolfgang
Neudorfer, Lukas Nothdurfter (Team h4ck!nb3rg)  

Impact:                                 Remote Denial of Service via
Management Interface (unauthenticated) and Command Execution

 

 

Product Description

---------------------------------------

phion's web application firewall (WAF) airlock provides a unique
combination of protective mechanisms for web applications. Whether you
want to observe PCI DSS, safeguard online banking or protect e-commerce
applications:  airlock ensures sustained and manageable web application
security.

[Source:
http://www.phion.com/INT/products/websecurity/Pages/default.aspx]

 

 

Vulnerability Description

---------------------------------------

The phion airlock Web Application Firewall operates as a reverse proxy
between the clients and the web server to be protected. All HTTP
requests are checked before being forwarded to the web server. The
system can be administered via a seperate management interface which is
normally not accessible for external users. By sending a specially
crafted HTTP GET request an attacker with access to the management
interface (but no authentication needed) is able to conduct a denial of
service attack. The vendor describes the vulnerability as follows:

"The airlock Configuration Center shows many system monitoring charts to
check the system status and history. These images are generated on the
fly by a CGI script, and the image size is part of the URL parameter.
Unreasonably large values for the width and height parameters will cause
excessive resource consumption. Depending on the actual load and the
memory available, the system will be out-of-service for some minutes or
crash completely, making a reboot necessary."

[Source: https://techzone.phion.com/dos-vulnerability-4.1-sysmon-images]

Further research showed that the vulnerability can also be used to
execute arbitrary system commands. This allows attackers to run
operating system commands under the user of the web server
(uid=12359(wwwca) gid=54329(wwwca)).

 

 

Proof of Conept

---------------------------------------

A denial of service or execution of arbitrary system commands can be
accomplished by a single HTTP request if an attacker can reach the
management interface IP address of the WAF. According exploits will not
be published.

 

 

Vulnerable Versions

---------------------------------------

The tested version was 4.1-10.41. Prior versions are also likely to be
vulnerable.

 

 

Patch

---------------------------------------

The vendor provides a hotfix as well as an updated version of the
product. 

The hotfix can be downloaded at:
https://techzone.phion.com/hotfix_HF4112

 

 

Contact Timeline

---------------------------------------

2009-04-27: Vendor informed

2009-04-28: Inital vendor reply

2009-04-29: Vulnerability confirmed and manual workaround available at
phion techzone

2009-05-12: Hotfix and updated version available

2009-07-01: Public release 

 

 

Further information

---------------------------------------

Information about the web application firewall project this advisory
originates from can be found at:

http://www.h4ck1nb3rg.at/wafs/

 

 


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ