Applicure Technologies response

[tomer@xxxxxxxxxxxxx]

On November 30th 2009, an anonymous person published a method for dotDefender 
authenticated administrators to run limited shell commands using remote command 
execution via a POST parameter which has been successfully tested against 
dotDefender 3.X for Apache on Linux/UNIX platforms 
(http://www.securityfocus.com/archive/1/508124).

Yesterday, December 2nd  2009, Applicure issued a fix for this issue, available 
at http://www.applicure.com/downloads/misc/index1.tar.gz.

A simple extraction of index1.cgi and replacement of the existing file at: 
/usr/local/APPCure-full/lib/admin/index1.cgi shall suffice to harden the 
administrative console against this vulnerability.

Nevertheless, at no time have dotDefender users been under any type of threat 
due to the following:

1. This vulnerability does not compromise the dotDefender Web Application 
Firewall
2. A user must be logged into the administrative console, effectively 
possessing administrative privileges on the Web server itself
3. The consequent freedom of action is restricted under the Apache process 
privileges

Applicure does not recommend that Web server administrators try the 
abovementioned attack on their dotDefender installation.
In any case, other, non-privileged users will not be able to execute this 
attack.

Applicure encourages security testers to report any vulnerability that may be 
found in its products in a formal appeal, acting responsibly and allowing at 
least a week's noticeto fix the vulnerability, as is customary in the 
information security community, before publishing it.

For any additional information or inquiries please contact Applicure support 
team.

Raviv Raz
Product Manager
Applicure Technologies
raviv_at_applicure_dot_com