[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] elproLOG MONITOR WebAccess 2.1 - Multiple Web Vulnerabilities
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] elproLOG MONITOR WebAccess 2.1 - Multiple Web Vulnerabilities
- From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 03 Oct 2013 02:29:34 +0200
Title:
======
elproLOG MONITOR WebAccess 2.1 - Multiple Web Vulnerabilities
Date:
=====
2013-09-24
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1086
VL-ID:
=====
1086
Common Vulnerability Scoring System:
====================================
6.7
Introduction:
=============
Web-based access to your monitoring data. elproLOG MONITOR WebAccess enables
you to reliably access your data from any computer
anywhere in the world. Regular it will be used in combination with a
surveillance cam and dvr system too.
(Copy of the Vendor Homepage:
http://www.elpro.com/en/products/software/product/elprolog-monitor-webaccess/pa/single/pc/product/
)
Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities
in the elproLOG MONITOR WebAccess v2.1 web-application.
Report-Timeline:
================
2013-09-24: Public Disclosure (Vulnerability Laboratory)
Status:
========
Published
Affected Products:
==================
ELPRO-BUCHS AG
Product: elproLOG MONITOR-WebAccess 2.1
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
1.1
A remote blind SQL Injection web vulnerability is detected in the ELPRO
elproLOG MONITOR WebAccess v2.1 Web-Application.
The SQL Injection vulnerability allows an attacker (remote) to execute/inject
own SQL commands in the vulnerable
web-application database management system.
The sql injection vulnerability is located in the strend.php file. Remote
attackers can inject own sql commands by
attacking via http GET method request the affected id parameter of the
vulnerable strend.php file.
Exploitation of the sql injection vulnerabilities requires no or a low
privileged application user account and no user interaction.
Successful exploitation of the vulnerability results in database management
system & application compromise via remote sql injection.
Vulnerable Module(s):
[+] Trends
Vulnerable File(s):
[+] strend.php
Vulnerable Parameter(s):
[+] id
1.2
A non persistent input validation vulnerability is detected in the elproLOG
MONITOR WebAccess v2.1 Web-Application.
The bug allows remote attackers to force client side browser requests with
manipulated web application context or
cross site links.
The first cross site scripting web vulnerability is located in the
sensorview.php module when processing to load
a manipulated data parameter via GET. The attacker provokes the
exception-handling to catch the invalid data error
with the injected script code (client-side).
The secound cross site scripting web vulnerability is located in the strend.php
module when processing to load
a manipulated name parameter via GET. The attacker provokes the
exception-handling to catch the invalid trend id
error with the injected script code (client-side).
The vulnerability can be exploited by remote attackers without required
application user account but with low or
medium required user interaction. Successful exploitation of the vulnerability
results in client side session hijacking,
account take-over, client side phishing, client side external redirects and
client side manipulation of module context.
Vulnerable Module(s):
[+] sensorview
[+] trends
Vulnerable File(s):
[+] sensorview.php
[+] strend.php
Vulnerable Parameter(s):
[+] data
[+] name
Proof of Concept:
=================
1.1 - SQL Injection
The remote sql injection web vulnerability can be exploited by remote attackers
without privileged application user account or
user interaction. For demonstration or reproduce ...
PoC:
http://elpro.localhost:8080/elpro/strend.php?data=8331&id=1+1%27'[SQL INJECTION
VULNERABILITY]--&name=1
1.2 - Client Side Cross Site Scripting
The client side cross site scripting web vulnerability can be exploited by
remote attackers without privileged application user account or
user interaction. For demonstration or reproduce ...
PoC:
http://elpro.localhost:8080/elpro-demo/sensorview.php?data=ECOLOG-NET%20Testing-1%27%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28document.cookie%29%3C
Exception: Group: ECOLOG-NET Testing->"<
PoC:
http://elpro.localhost:8080/elpro-demo/strend.php?data=8331&id=0&name=->"<%27%27%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28document.cookie%29%3C
Exception: Trend: Error ->"<
Solution:
=========
1.1
The sql injection web vulnerability can be patched by using a secure statement
around the id parameter value implementation.
Encode and parse the input or setup an own new exception-handling to prevent
future executions of sql commands.
1.2
Parse and encode the vulnerable data and name parameters to fix the client-side
cross site scripting web vulnerability.
Ensure that the parameters are secure encoded in all different section of the
application modules.
Risk:
=====
1.1
The security risk of the remote sql injection web vulnerability is estimated as
high(+).
1.2
The security risk of the client-side cross site scripting web vulnerabilities
are estimated as low(+)|(-)medium.
Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]
Disclaimer:
===========
The information provided in this advisory is provided as it is without any
warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct,
indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential
or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor
licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com
- www.evolution-sec.com
Contact: admin@xxxxxxxxxxxxxxxxxxxxx -
research@xxxxxxxxxxxxxxxxxxxxx - admin@xxxxxxxxxxxxxxxxx
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com
- magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab
- youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file
requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the
specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.
Copyright © 2013 | Vulnerability Laboratory
[Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/