VU#990652: BigAnt IM Message server and components contain multiple vulnerabilities

Vulnerability Note VU#990652
BigAnt IM Message server and components contain multiple vulnerabilities

Original Release date: 09 Jan 2013 | Last revised: 09 Jan 2013

Overview

BigAnt IM Message server and components contain multiple vulnerabilities which could allow an attacker to perform administrative functions on the the system

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – CVE-2012-6273

During the SHU request (search user) from the bigant messaging client, a sql query is built from a template and sent via a http like header. Proper sanitization is not performed. It has been reported this can be demonstrated by opening up the BigAnt Messenger Client, logging into a server, and searching for an ‘Account/Full Name’ of blah’ OR hs_User.Col_Pword LIKE ‘[a-z]

CWE-280: Improper Handling of Insufficient Permissions or Privileges – CVE-2012-6274
Arbitrary unauthenticated file upload in BigAnt IM Server. It has been reported that authentication for file uploads is not enforced. Uploaded files were reported to be saved to C:\Program Files\BigAntSoft\AntServer\DocData\Public.

CWE-121: Stack-based Buffer Overflow – CVE-2012-6275
Buffer overflow in AntDS.exe component of BigAnt Message server when handling the filename header in SCH requests and userid component of DUPF requests.

Impact

A remote unauthenticated attacker may obtain sensitive information, cause a denial of service condition or execute arbitrary code with the privileges of the application.

Solution

We are currently unaware of a practical solution to this problem.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi, unauthenticated file uploads, or denial of service attacks since the attack comes as an HTTP request from a legitimate user’s host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedBigAntSoftAffected-04 Jan 2013If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
9.7
AV:N/AC:L/Au:N/C:P/I:C/A:C

Temporal
7.5
E:POC/RL:W/RC:UC

Environmental
1.9
CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/89.html
http://cwe.mitre.org/data/definitions/280.html
http://cwe.mitre.org/data/definitions/121.html
http://www.bigantsoft.com/download.html

Credit

Thanks to hamburgers maccoy for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:
CVE-2012-6273
CVE-2012-6274
CVE-2012-6275

Date Public:
09 Jan 2013

Date First Published:
09 Jan 2013

Date Last Updated:
09 Jan 2013

Document Revision:
9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#380039: Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters

Vulnerability Note VU#380039
Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters

Original Release date: 08 Jan 2013 | Last revised: 11 Jan 2013

Overview

The Ruby on Rails Action Pack framework is susceptible to authentication bypass, SQL injection, arbitrary code execution, or denial of service.

Description

The Ruby on Rails advisory states:

“Multiple vulnerabilities in parameter parsing in Action Pack

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.

Versions Affected: ALL versions
Not affected: NONE
Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15

Impact
——
The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds *immediately*.

Releases
——–
The 3.2.11, 3.1.10, 3.0.19 and 2.3.15 releases are available at the normal locations.”

Additional details are available in the full advisory. Exploit code for this vulnerability is publicly available.

Impact

A Ruby on Rails application that uses Action Pack is susceptible to authentication bypass, SQL injection, arbitrary code execution or denial of service.

Solution

Apply an Update

Versions 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released to address this vulnerability.

The Ruby on Rails advisory states the following workarounds:

Workarounds
———–
The work arounds differ depending on the Rails version you are using, and whether or not your application needs to support XML Parameters.

Disabling XML Entirely
———————-
Users who don’t need to support XML parameters should disable XML parsing entirely by placing one of the following snippets inside an application initializer.

Rails 3.2, 3.1 and 3.0
———————-
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)

Rails 2.3
———
ActionController::Base.param_parsers.delete(Mime::XML)

Removing YAML and Symbol support from the XML parser
—————————————————-
If your application must continue to parse XML you must disable the YAML and Symbol type conversion from the Rails XML parser. You should place one of the following code snippets in an application initializer to ensure your application isn’t vulnerable. You should also consider greatly reducing the value of REXML::Document.entity_expansion_limit to limit the risk of entity explosion attacks.

YAML Parameter Parsing
———————-
Rails has also shipped with YAML parameter parsing code, this was only ever enabled by default in Rails 1.1.0, but users who do enable it are vulnerable to all the exploits mentioned above.. There is no fix for YAML object injection, so if you have enabled it you must disable it immediately.

For 2.x apps, check whether your app sets `ActionController::Base.param_parsers[Mime::YAML] = :yaml` and snip that out if it does.

For 3.x apps do this to disable:

ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::YAML)

Rails 3.2, 3.1, 3.0
———
ActiveSupport::XmlMini::PARSING.delete(“symbol”)
ActiveSupport::XmlMini::PARSING.delete(“yaml”)

Rails 2.3
———
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete(‘symbol’)
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete(‘yaml’)

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedRuby on RailsAffected-11 Jan 2013If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
8.7
E:H/RL:OF/RC:C

Environmental
8.7
CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
http://api.rubyonrails.org/files/actionpack/README_rdoc.html
http://www.insinuator.net/2013/01/rails-yaml/
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156

Credit

This vulnerability was reported to the Ruby on Rails security team by Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville.

This document was written by Jared Allar.

Other Information

CVE IDs:
CVE-2013-0156

Date Public:
08 Jan 2013

Date First Published:
08 Jan 2013

Date Last Updated:
11 Jan 2013

Document Revision:
22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#380039: Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters

Vulnerability Note VU#380039
Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters

Original Release date: 08 Jan 2013 | Last revised: 11 Jan 2013

Overview

The Ruby on Rails Action Pack framework is susceptible to authentication bypass, SQL injection, arbitrary code execution, or denial of service.

Description

The Ruby on Rails advisory states:

“Multiple vulnerabilities in parameter parsing in Action Pack

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.

Versions Affected: ALL versions
Not affected: NONE
Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15

Impact
——
The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds *immediately*.

Releases
——–
The 3.2.11, 3.1.10, 3.0.19 and 2.3.15 releases are available at the normal locations.”

Additional details are available in the full advisory. Exploit code for this vulnerability is publicly available.

Impact

A Ruby on Rails application that uses Action Pack is susceptible to authentication bypass, SQL injection, arbitrary code execution or denial of service.

Solution

Apply an Update

Versions 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released to address this vulnerability.

The Ruby on Rails advisory states the following workarounds:

Workarounds
———–
The work arounds differ depending on the Rails version you are using, and whether or not your application needs to support XML Parameters.

Disabling XML Entirely
———————-
Users who don’t need to support XML parameters should disable XML parsing entirely by placing one of the following snippets inside an application initializer.

Rails 3.2, 3.1 and 3.0
———————-
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)

Rails 2.3
———
ActionController::Base.param_parsers.delete(Mime::XML)

Removing YAML and Symbol support from the XML parser
—————————————————-
If your application must continue to parse XML you must disable the YAML and Symbol type conversion from the Rails XML parser. You should place one of the following code snippets in an application initializer to ensure your application isn’t vulnerable. You should also consider greatly reducing the value of REXML::Document.entity_expansion_limit to limit the risk of entity explosion attacks.

YAML Parameter Parsing
———————-
Rails has also shipped with YAML parameter parsing code, this was only ever enabled by default in Rails 1.1.0, but users who do enable it are vulnerable to all the exploits mentioned above.. There is no fix for YAML object injection, so if you have enabled it you must disable it immediately.

For 2.x apps, check whether your app sets `ActionController::Base.param_parsers[Mime::YAML] = :yaml` and snip that out if it does.

For 3.x apps do this to disable:

ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::YAML)

Rails 3.2, 3.1, 3.0
———
ActiveSupport::XmlMini::PARSING.delete(“symbol”)
ActiveSupport::XmlMini::PARSING.delete(“yaml”)

Rails 2.3
———
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete(‘symbol’)
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete(‘yaml’)

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedRuby on RailsAffected-11 Jan 2013If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
8.7
E:H/RL:OF/RC:C

Environmental
8.7
CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
http://api.rubyonrails.org/files/actionpack/README_rdoc.html
http://www.insinuator.net/2013/01/rails-yaml/
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156

Credit

This vulnerability was reported to the Ruby on Rails security team by Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville.

This document was written by Jared Allar.

Other Information

CVE IDs:
CVE-2013-0156

Date Public:
08 Jan 2013

Date First Published:
08 Jan 2013

Date Last Updated:
11 Jan 2013

Document Revision:
22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#856892: Centreon 2.3.3 through 2.3.9-4 blind sqli injection vulnerability.

Vulnerability Note VU#856892
Centreon 2.3.3 through 2.3.9-4 blind sqli injection vulnerability.

Original Release date: 12 Dec 2012 | Last revised: 12 Dec 2012

Overview

Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

Centreon 2.3.3 through 2.3.9-4 contains a blind sql injection vulnerability. The vulnerability is found within the menuXML.php file inside the ‘menu’ parameter. It was reported that by injecting a payload after the menu parameter, for example ‘

VU#795644: esri ArcGIS web server 10.1 contains a blind SQL injection vulnerability

Vulnerability Note VU#795644
esri ArcGIS web server 10.1 contains a blind SQL injection vulnerability

Original Release date: 09 Nov 2012 | Last revised: 09 Nov 2012

Overview

esri’s ArcGIS web server version 10.1 contains a blind SQL injection vulnerability.

Description

VU#795644: Esri ArcGIS server 10.1 contains a blind SQL injection vulnerability

Vulnerability Note VU#795644
Esri ArcGIS server 10.1 contains a blind SQL injection vulnerability

Original Release date: 09 Nov 2012 | Last revised: 19 Nov 2012

Overview

Esri’s ArcGIS server version 10.1 contains a blind SQL injection vulnerability that allows remote attackers to execute a subset of SQL commands via a query operation where clause.

Description

The Esri ArcGIS server version 10.1 contains a blind SQL injection vulnerability (CWE-89) for REST service queries. The where form field when constructing a query does not properly sanitize SQL commands from the input.

Proof-of-Concept:
http://:6080/arcgis/rest/services//query?f=json&where=featured%3Dtrue&returnGeometry=true&spatialRel=esriSpatialRelIntersects

Impact

A remote authenticated attacker may be able to run a subset of SQL commands against the back-end database.

Solution

Apply an Update

Esri released an update to ArcGIS Server 10.1 Service Pack 1. If you cannot patch, please consider the following workarounds.

Disable the query

The query operation may be disabled via ArcGIS Manager for each service.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user’s host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedEnvironmental Systems Research Institute IncAffected25 Sep 201207 Nov 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal
5.9
E:POC/RL:U/RC:C

Environmental
4.4
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://support.esri.com/en/downloads/patches-servicepacks/view/productid/66/metaid/1930
http://support.esri.com/en/knowledgebase/techarticles/detail/40665
http://www.esri.com/software/arcgis/arcgisserver
http://support.esri.com/en/downloads/patches-servicepacks
http://cwe.mitre.org/data/definitions/89.html

Credit

Thank you to the reporter that wishes to remain anonymous.

This document was written by Jared Allar.

Other Information

CVE IDs:
CVE-2012-4949

Date Public:
29 Oct 2012

Date First Published:
09 Nov 2012

Date Last Updated:
19 Nov 2012

Document Revision:
31

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#427547: Agile FleetCommander and FleetCommander Kiosk versions prior to 4.08 contain multiple vulnerabilities

Vulnerability Note VU#427547
Agile FleetCommander and FleetCommander Kiosk versions prior to 4.08 contain multiple vulnerabilities

Original Release date: 07 Nov 2012 | Last revised: 07 Nov 2012

Overview

Agile FleetCommander and FleetCommander Kiosk were found to have multiple XSS, CSRF, information disclosure and SQLi vulnerabilities.

VU#427547: Agile FleetCommander and FleetCommander Kiosk versions prior to 4.08 contain multiple vulnerabilities

Vulnerability Note VU#427547
Agile FleetCommander and FleetCommander Kiosk versions prior to 4.08 contain multiple vulnerabilities

Original Release date: 07 Nov 2012 | Last revised: 07 Nov 2012

Overview

Agile FleetCommander and FleetCommander Kiosk were found to have multiple XSS, CSRF, information disclosure and SQLi vulnerabilities.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – CVE-2012-4941

SQL Injection Vulnerabilities: Multiple query string parameters for both authenticated and unauthenticated users are not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CVE-2012-4942
Persistent XSS Vulnerabilities: The application’s web interface allows users to provide text input into many fields which are stored in a database and displayed back to the user in various places. Input passed to all text fields in the application is not properly sanitized before being displayed to users. This can be exploited to execute arbitrary HTML and script code in a user’s browser session.

CWE-352: Cross-Site Request Forgery (CSRF) – CVE-2012-4943
CSRF Vulnerabilities: The application’s web interface allows users to perform many actions via HTTP POST requests without performing any validity checks to verify the requests. This can be exploited to change the administrator’s/user’s passwords, creating new user accounts, deleting user accounts, granting additional site permissions, and more by tricking a logged in administrator or other user into visiting a malicious web site.

CWE-280: Improper Handling of Insufficient Permissions or Privileges – CVE-2012-4944
Unrestricted File Upload Vulnerabilities: The application has several pages that are available to unauthenticated users where arbitrary files are able to be uploaded onto the system. This can be exploited to upload arbitrary files to the system and could be used to compromise the system.

CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’) – CVE-2012-4945
Unauthenticated Site Actions: The application has several pages that could be exploited to allow an unauthenticated user to perform actions in the application that only an authenticated user should be able to perform.

CWE-326: Inadequate Encryption Strength – CVE-2012-4946
Reversible Encrypted Password Vulnerability: The user passwords for the application are stored in a reversible XOR encrypted format. If a malicious user is able to obtain the encrypted passwords, they would be able to be decrypted. A password key and the encryption/decryption function is located in afile.

CWE-312: Cleartext Storage of Sensitive Information – CVE-2012-4947
Information Disclosure Vulnerabilities: The application has several pages that can be exploited by malicious users to disclose potentially sensitive information. Database connection information including clear text credentials are stored in a file.

Impact

A remote unauthenticated attacker may obtain sensitive information, cause a denial of service condition or execute arbitrary code with the privileges of the application.

Solution

Update

The vendor has stated that these vulnerabilities have been addressed in version 4.08, version 4.08.01 and version 4.09.00. The vendor recommends that users update to version 4.09.00 or higher.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS or CSRF attacks since the attack comes as an HTTP request from a legitimate user’s host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedAgile FleetCommanderAffected14 Mar 201230 Oct 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal
7.0
E:POC/RL:OF/RC:UC

Environmental
1.8
CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/89.html
http://cwe.mitre.org/data/definitions/79.html
http://cwe.mitre.org/data/definitions/352.html
http://cwe.mitre.org/data/definitions/280.html
http://cwe.mitre.org/data/definitions/77.html
http://cwe.mitre.org/data/definitions/326.html
http://cwe.mitre.org/data/definitions/312.html
http://www.agilefleet.com/

Credit

Thanks to Travis Lee for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:
CVE-2012-4941
CVE-2012-4942
CVE-2012-4943
CVE-2012-4944
CVE-2012-4945
CVE-2012-4946
CVE-2012-4947

Date Public:
07 Nov 2012

Date First Published:
07 Nov 2012

Date Last Updated:
07 Nov 2012

Document Revision:
25

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#180091: VeriCentre web application SQL injection vulnerability

Vulnerability Note VU#180091
VeriCentre web application SQL injection vulnerability

Original Release date: 06 Nov 2012 | Last revised: 06 Nov 2012

Overview

The VeriCentre web application contains a SQL injection vulnerability.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

The VeriCentre web application contains a SQL injection vulnerability within the TerminalId, ModelName, and ApplicationName parameters.

Additional information can be found in the vulnerability reporter’s advisory.

Impact

A remote authenticated attacker may be able to issue commands against the database.

Solution

Update

The vendor has stated that these vulnerabilities have been addressed in Web Console 2.2 build 36. The vendor recommends that users update to Web Console 2.2 build 36 or higher.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent SQLi attacks since the attack comes as an SQL request from a legitimate user’s host. Restricting access would prevent an attacker from accessing a web interface using stolen credentials from a blocked network location.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedverifoneAffected24 Sep 201201 Nov 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
3.5
AV:N/AC:M/Au:S/C:P/I:N/A:N

Temporal
2.7
E:POC/RL:OF/RC:ND

Environmental
0.9
CDP:L/TD:L/CR:ND/IR:ND/AR:ND

References

http://global.verifone.com/products/software/estate-management/vericentre
http://www.clearskies.net/documents/css-advisory-css1211-vericentre.pdf

Credit

Thanks to Cory Eubanks, Clear Skies Security LLC, for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:
CVE-2012-4951

Date Public:
06 Nov 2012

Date First Published:
06 Nov 2012

Date Last Updated:
06 Nov 2012

Document Revision:
7

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#777007: Ipswitch WhatsUp Gold 15.02 contains SQL injection and XSS vulnerabilities

Vulnerability Note VU#777007
Ipswitch WhatsUp Gold 15.02 contains SQL injection and XSS vulnerabilities

Original Release date: 04 Sep 2012 | Last revised: 04 Sep 2012

Overview

Ipswitch WhatsUp Gold 15.02 has been reported to contain blind SQL injection and cross-site scripting vulnerabilities.

Des…