[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] FW: Re[2]: Radware AppWall Web Application Firewall: Source code disclosure on management interface

To: <3APA3A@xxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] FW: Re[2]: Radware AppWall Web Application Firewall: Source code disclosure on management interface
From: "Shaked Vax" <ShakedV@xxxxxxxxxxx>
Date: Mon, 6 Jul 2009 15:18:41 +0300

Hello Vladimir

Let's clarify what is the .inc vulnerability all about:
In order to take advantage of this vulnerability one needs to:
1. Have access to internal AppWall management URL
2. Have credentials (user and password) of the AppWall Web Interface. Without 
the credentials one cannot access the  /Management/ folder at all !

Once you have access to the .inc file you can retrieve the server's source 
code. In most applications it is not "a good practice" (to say the least) to 
expose your source code even your authenticated users.

In AppWall's case there is nothing interesting to hide in the inc files, since 
if you have credentials, and you are looking to cause harm to the system, you 
can simply shutdown the AppWall service, change its IP address etc'. PHP source 
code is not interesting in this case.

This is not a critical issue and should be taken in relevant proportions.

Regards,
Shaked Vax

-----Original Message-----
From: Vladimir '3APA3A' Dubrovin [mailto:3APA3A@xxxxxxxxxxxxxxxx] 
Sent: Friday, July 03, 2009 15:58 PM
To: Shaked Vax
Cc: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re[2]: [Full-disclosure] radware AppWall Web Application Firewall: 
Source code disclosure on management interface

Dear Shaked  Vax,

 Are  you  sure  Radware  Team have analysed reflected attack via user's
 browser  (AppWall  administrator visits malcrafted page, page redirects
 his request to AppWall) before excluding remote vector?

--Thursday, July 2, 2009, 3:23:16 PM, you wrote to 
full-disclosure@xxxxxxxxxxxxxxxxx:

SV> Radware team has completed analysis of the reported issue, concluding
SV> that no AppWall customer using the product  according to Radware
SV> deployment recommendations would be exposed to vulnerability as a result
SV> of this issue. This is due to the facts that this issue exists only on
SV> the management interface that is recommended to be connection to
SV> internal LAN only, and that it does not allow performing any actions
SV> that would influence machine functionality.
SV>  Nevertheless, in order to enforce our commitment to deliver top
SV> security solution to our customers, Radware will supply a fix for this
SV> issue within its upcoming AppWall release.

SV> Shaked Vax
SV> AppWall Product Manager 
SV> ShakedV@xxxxxxxxxxx 
 

SV> _______________________________________________
SV> Full-Disclosure - We believe in it.
SV> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
SV> Hosted and sponsored by Secunia - http://secunia.com/


-- 
Skype: Vladimir.Dubrovin
~/ZARAZA http://securityvulns.com/
Но Гарри... я безусловно отдаю предпочтение ему, за
высокую питательность и какое-то особенно нежное мясо. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Oops! About xscreensaver 5.01
Next by Date: Re: [Full-disclosure] One Click Ownage [White Paper and Scripts]
Previous by thread: Re: [Full-disclosure] Oops! About xscreensaver 5.01
Next by thread: [Full-disclosure] HTTP Verb Tampering
Index(es):
- Date
- Thread