Advisory: WebTitan Multiple Vulnerabilities

Sec-1 Security Advisory
Advisory Name : WebTitan Multiple Vulnerabilities
Release Date : 19/10/2011
Application : WebTitan version 3.50 (Build 183)
Platform : VMWare Appliance
Severity : SQL injection, Command injection, Dir Traversal
Author : Richard Conner
Vendor Status : Fixed in Version 3.60
Website : https://www.sec-1.com/blog
Product Overview:
Taken from: http://www.webtitan.com/products

WebTitan is a complete internet monitoring software (web filter) which provides organisations protection for their data from malware and other internet threats such as viruses, spyware and phishing as well as providing user policy browsing tools to ensure corporate internet policy is adhered to.
Vulnerability Summary:
A number of security issues were identified in version 3.50 (Build 183). A SQL injection attack within the authentication component can be leveraged to recover the password hashes of valid users. Once authenticated access is obtained further attacks exist. Additional SQL injection, Command Injection providing access to the FreeBSD O/S and a Directory Traversal flaw can be exploited.
Exploit 1: PRE Auth – Blind SQL Injection
The following vulnerability was identified

Login Page: http://172.31.1.25/login.php

This vulnerable component can be accessed without Authenticating. The affected script provides a web interface to the authentication component of the application. From here it is possible to perform any administrative task includinguser administration and running diagnostics.

Vulnerable Script: /login-x.php

Vulnerable POST request:
jaction=login&language=en_US&username=admin&password=hiadmin
Vulnerable Parameter: username
Database: POSTGRES

It is possible to perform blind SQL injection within the username parameter to recover the contents of various tables from the public database, including the admin table which contains the usernames and a MD5 hash of the password for each administrative account.

Exploit 2: POST Auth – SQL Injection
Once Authenticated, either through compromising of the PRE-Auth SQL injection
flaw or through a known administrative account (default values, brute force, etc) it is possible to perform several further SQL injection attacks against the following;

Vulnerable Script: /urls-x.php

Vulnerable POST Parameters: bldomain, wldomain, temid

Exploit 3: POST Auth – Command Injection
The Traceroute or Ping functionality when issued by an authenticated user can be abused to execute an additional command by the script. Appending two ampersands && characters to the Ping or Traceroute command causes the script to execute the instruction as a second command. The returned data is displayed within the diagnostic message within the users web browser.

Example:

http://172.31.1.25/tools.php#tab0

127.0.0.1 && cat /etc/passwd

Will display the contents of the password file which lists the FreeBSD users and their privileges.

Exploit 4: POST Auth – Dir Traversal
Example:

http://[HOST_IP]//logs-x.php? jaction=view&fname=../../../../../etc/passwd

Vendor Response:
These issues were resolved in version 3.60
Common Vulnerabilities and Exposures (CVE) Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
CVE : CVE-2011-4638 (SQL Injection Issues)
CVE : CVE-2011-4639 (POST Auth. Command Injection Issues)
CVE : CVE-2011-4640 (POST Auth. Dir Traversal)
Copyright 2011 Sec-1 LTD. All rights reserved.
This entry was posted in Advisories. Bookmark the permalink.

Comments are closed.