Advisories (2008)

Please read our Vulnerability Disclosure Policy.

Full Text

HP Quality Center Authentication Bypass

Download

Oct 03, 2008

HP Quality Center versions 9.0 and 9.2 makes extensive use of ActiveX components and auxiliary client side DLL’s. During use of the application, allot of client side processing takes place. By exploiting the weak trust boundary between the server and the client components, it is possible to bypass authentication for the HP Quality Center administrative pages.

PluggedOut CMS User Authentication Bypass Vulnerability

Download

Jul 31, 2008

The PluggedOut Content Management System allows user’s to manage the content of their website through a web based administration portal. The administration is performed through a PHP script and allows authenticated users to manage the website and upload new PHP content. Using this vulnerability an attacker could gain access to the CMS system and would be able to upload new PHP content.

DD-WRT SSID Script Injection Vulnerability

Download

Jul 28, 2008

DD-WRT is a third party developed firmware released under the terms of the GPL for many ieee802.11a/b/g/h/n wireless routers based on a Broadcom or Atheros chip reference design. As a result of the research conducted to produce the paper Behind Enemy Lines it was discovered that the DD-WRT administrative web interface is vulnerable to a SSID script injection attack. An attack could be crafted that could allow remote attackers to fully compromise the device. To resolve this vulnerability it is recommended that the software be upgraded to the latest available version.

pfSense DHCP Script Injection Vulnerability

Download

Jul 28, 2008

pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. As a result of the research conducted to produce the paper Behind Enemy Lines it was discovered that the pfSense firewall 1.0.1 administrative web interface is vulnerable to a DHCP script injection attack. An attack could be crafted to execute commands on the target system with root privileges through the exec.php script provided by the administrative web interface. To resolve this vulnerability it is recommended that the software be upgraded to the latest available version.

IBM Lotus Domino "Accept Language" Stack Overflow Advisory

Download

May 20, 2008

MWR InfoSecurity published an advisory today relating to a stack based buffer overflow vulnerability in IBM Lotus Domino Web Server which can be exploited remotely.

The vulnerability would enable an attacker to execute arbitrary code on the system in the majority of installations this will be with local SYSTEM privileges.

Users should upgrade to the latest secure version of the product by applying the appropriate vendor provided security fix. The versions not affected by this issue are Lotus Domino 7.0.3 FixPack 1 (FP1) and 8.0.1. Information about the location of updated packages can be discovered at the following location: http://www.ibm.com/support/docview.wss?rs=463&uid=swg21303057

National Rail Live Enquiries Departure Board Gadget Vulnerability

Download

Apr 24, 2008

The National Rail Live Departure Board gadget has been identified as being vulnerable to a script injection attack that could potentially allow remote attackers to execute commands on the target system. An attacker successfully exploiting this vulnerability could execute arbitrary commands in the context of the current logged in user.

The National Rail Live Departure Board Sidebar gadget vulnerability is present because of a lack of sufficient sanitisation on arguments passed from the web server to the Sidebar gadget application.

The vendor has addressed this vulnerability and implemented a fix in version 1.1. This version has yet to be tested.

National Rail Live Enquiries Departure Board Gadget upgrade can be found in the following location:- http://gallery.live.com/LiveItemDetail.aspx?li=aef90e44-18cf-4246-b1d9-4ab83e0e13db

IBM Informix Pre-Authentication Stack Overflow

Download

Apr 15, 2008

An advisory has been released today by MWR InfoSecurity relating to a Pre-authentication stack overflow in IBM Informix.

The IBM Informix Database service is vulnerable to a stack based buffer overflow which can be exploited remotely before the authentication has been completed.

The vulnerability would enable an attacker to execute arbitrary code on the system with the privileges of the Informix user. By default, this account is a member of the administrators group on a Microsoft Windows system.

The code responsible for parsing the parameters within the first packet of the protocol handshake does not validate the number of arguments it accepts. This results in the ability to overflow a stack buffer which in turn allows arbitrary code to be executed.

The vendor has released updates to resolve this issue, please refer to the following links. http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only. http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only. http://www-1.ibm.com/support/search.wss?rs=0&q=IC55223&apar=only.

Watchguard Firebox User Enumeration Vulnerability

Download

Apr 04, 2008

An advisory has been published today by MWR InfoSecurity relating to a user enumeration vulnerability present in Watchguard Firebox software prior to Version 10. The vendor has released a patch to address the issue which may be downloaded from https://www.watchguard.com/archive/softwarecenter.asp.

The impact of this vulnerability is that password guessing attacks can be performed much more efficiently by conducting them only against those usernames known to be valid. Additionally, these usernames may be valid on other systems and may also aid social engineering attacks.

Interwoven WorkSite - Active X Control Remote Code Execution

Download

Apr 03, 2008

Worksite is a document management and email management solution from Interwoven Inc (Interwoven). Some of the functionality of the application is made available through ActiveX controls which are distributed within the iManFile.cab file. The ActiveX controls were found to be unsafe and permit code to be executed remotely by an attacker who is able to direct a user to a website containing exploit code.

The most serious of these vulnerabilities could enable an attacker to execute arbitrary code on a user’s computer remotely. This code would be executed with the permissions of the user logged into the system. However, other vulnerabilities are present.

The vendor has addressed this vulnerability in their latest service pack (WorkSite Web 8.2 SP1 P2) available from http://worksitesupport.interwoven.com.

IBM Websphere MQ MCAUSER Bypass

Download

Mar 28, 2008

The Websphere MQ service can be used to transfer messages between systems and applications. It is possible to lock down access to channels by setting an invalid MCAUSER. A method of bypassing this authorisation control has been discovered which would enable unauthorised access to be gained.

The vendor has released a fix for this vulnerability and download details are available within the advisory.

IBM Websphere MQ Security Exit Bypass

Download

Mar 28, 2008

The Websphere MQ service can be used to transfer messages between systems and applications. It is possible to protect the channels within the Queue Manager with a security exit which requires that an authentication check be passed before a connection can be established. A method of bypassing this authentication has been discovered which would enable unauthorised access to be gained.

The vendor has released a fix pack that addresses these issues and download details are available within the advisory.

Elastic Path Arbitrary File Systems Access

Download

Mar 07, 2008

An advisory has been released today by MWR InfoSecurity relating to Elastic Path ecommerce software versions 4.1 and 4.1.1.

Multiple input validation vulnerabilities were identified within the Elastic Path application. As a result, directory traversal was possible allowing unrestricted file system access to the remote server. The impact of the vulnerabilities could enable an attacker to upload and download files from arbitrary locations on the affected system.

The vendor has released a patch to address these vulnerabilities. To obtain the patch users must contact the vendor at support@elasticpath.com or http://www.elasticpath.com/support/.

ITN News Sidebar Gadget

Download

Feb 07, 2008

An advisory has been released today by MWR InfoSecurity relating to the ITN News Windows Vista sidebar gadget which is vulnerable to a script injection attack that could allow remote attackers to execute commands on the target system. The vendor has addressed this vulnerability and implemented a fix in version 1.23. The full advisory, including a link to the upgrade can be viewed from the download link above.

Meridio Cross Site Scripting Vulnerability

Download

Jan 15, 2008

Meridio Document and Records Management has been identified as being vulnerable to an embedded Cross Site Scripting attack that could potentially allow remote attackers to inject JavaScript into the application. This would then be executed within the context of the browser of the application user. The impact of this attack is only limited by the creativity of the attacker exploiting this vulnerability. The most dangerous form of XSS involves hostile code being permanently stored within the application. This means the embedded code would be executed by every user accessing the affected page and this is the case in this instance. Meridio have addressed this vulnerability and implemented a fix in version 4.3 SR1 and higher.