Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28770
HistoryNov 18, 2012 - 12:00 a.m.

SEC Consult SA-20121115-0 :: Applicure dotDefender WAF format string vulnerability

2012-11-1800:00:00
vulners.com
18
JSON

SEC Consult Vulnerability Lab Security Advisory < 20121115-0 >

          title: Applicure dotDefender WAF format string vulnerability
        product: dotDefender for Linux/Apache

vulnerable version: <= 4.26
fixed version: 5.00
CVE number: -
impact: Medium (needs preconditions)
homepage: http://www.applicure.com/Products/dotdefender
found: 2012-10-13
by: Bernhard Mueller
SEC Consult Vulnerability Lab
https://www.sec-consult.com

Vendor/product description:

dotDefender is a web application security solution (a Web Application
Firewall, or WAF) that offers strong, proactive security for your websites and
web applications.

URL: http://www.applicure.com/Products/dotdefender

Vulnerability overview/description:

dotDefender displays an error page when blocking an attack. The error page is
generated from a template which can contain various template variables. These
variables are expanded into a buffer first, the result of which is then passed
to AP_PRINTF() without checking for format string identifiers. Any remaining
format strings are interpreted by AP_PRINTF(), allowing for a format string
injection attack.

This is immediately exploitable by an unauthenticated attacker if the <%IP%>
template tag is used in the error page (not the case in the default template).
In this case an attacker can inject format strings in the "Host"-header. Other
attack vectors may exist if the attacker manages to access the dotDefender web
interface which requires a password.

Successful exploitation allows an attacker to execute arbitrary code on the
server.

Proof of concept:

No proof-of-concept exploit will be released.

Vulnerable / tested versions:

The vulnerability has been tested with dotDefender 4.26 for Linux/Apache.

dotDefender for Windows is not affected.

Vendor contact timeline:

2012-10-17: Contacted vendor
2012-11: Fixed version is released
2012-11-15: SEC Consult releases security advisory

Solution:

Upgrade to at least version 5.00 of dotDefender for Linux:

http://www.applicure.com/download-latest

Advisory URL:

https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

The SEC Consult Group

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
www.sec-consult.com


Office Singapore
4 Battery Road
#25-01 Bank of China Building
Singapore &#40;049908&#41;
Mail: office at sec-consult dot sg


Check out our blog at:

http://blog.sec-consult.com/


And this thing here:

http://wordpress.org/extend/plugins/mvis-security-center/


EOF B. Mueller / November 2012
JSON