Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22110
HistoryJul 03, 2009 - 12:00 a.m.

phion airlock Web Application Firewall: Remote Denial of Service via Management Interface (unauthenticated) and Command Execution

2009-07-0300:00:00
vulners.com
38
JSON

Security Advisory

Vulnerable Software: phion airlock Web Application Firewall
Vulnerable Version: 4.1-10.41
Homepage: http://www.phion.com/
Found by: Michael Kirchner, Wolfgang Neudorfer,
Lukas Nothdurfter (Team h4ck!nb3rg)
Impact: Remote Denial of Service via Management
Interface (unauthenticated) and Command Execution

Product Description

phion's web application firewall (WAF) airlock provides a unique
combination of protective mechanisms for web applications. Whether you
want to observe PCI DSS, safeguard online banking or protect e-commerce
applications: airlock ensures sustained and manageable web application
security.
[Source:
http://www.phion.com/INT/products/websecurity/Pages/default.aspx]

Vulnerability Description

The phion airlock Web Application Firewall operates as a reverse proxy
between the clients and the web server to be protected. All HTTP
requests are checked before being forwarded to the web server. The
system can be administered via a seperate management interface which is
normally not accessible for external users. By sending a specially
crafted HTTP GET request an attacker with access to the management
interface (but no authentication needed) is able to conduct a denial of
service attack. The vendor describes the vulnerability as follows:
"The airlock Configuration Center shows many system monitoring charts to
check the system status and history. These images are generated on the
fly by a CGI script, and the image size is part of the URL parameter.
Unreasonably large values for the width and height parameters will cause
excessive resource consumption. Depending on the actual load and the
memory available, the system will be out-of-service for some minutes or
crash completely, making a reboot necessary."
[Source: https://techzone.phion.com/dos-vulnerability-4.1-sysmon-images]
Further research showed that the vulnerability can also be used to
execute arbitrary system commands. This allows attackers to run
operating system commands under the user of the web server
(uid=12359(wwwca) gid=54329(wwwca)).

Proof of Conept

A denial of service or execution of arbitrary system commands can be
accomplished by a single HTTP request if an attacker can reach the
management interface IP address of the WAF. According exploits will not
be published.

Vulnerable Versions

The tested version was 4.1-10.41. Prior versions are also likely to be
vulnerable.

Patch

The vendor provides a hotfix as well as an updated version of the
product.
The hotfix can be downloaded at:
https://techzone.phion.com/hotfix_HF4112

Contact Timeline

2009-04-27: Vendor informed
2009-04-28: Inital vendor reply
2009-04-29: Vulnerability confirmed and manual workaround available at
phion techzone
2009-05-12: Hotfix and updated version available
2009-07-01: Public release

Further information

Information about the web application firewall project this advisory
originates from can be found at:
http://www.h4ck1nb3rg.at/wafs/

JSON