Digital Defense’s Vulnerability Research Team (VRT) team posts advisories to raise awareness of newly discovered vulnerabilities or other informational items that help further secure computing networks from compromise by unauthorized parties. Advisories are posted by the VRT team on an as needed basis.
For more information about a particular advisory, please contact us at support@ddifrontline.com.
Title: DDIVRT-2009-27 Files2Links F2L-3000 SQL Injection Vulnerability
Severity: Medium
Date Discovered: November 19, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Rob Kraus, Chris Graham and r@b13$
Vulnerability Description: The login page of the F2L-3000 version 4.0.0 is vulnerable to SQL Injection. Exploitation of the vulnerability may allow attackers to bypass authentication and access sensitive information stored on the device.
Solution Description: A patch is not available at this time. Possible workarounds include disabling the vulnerable service, or limiting access to a set of trusted IP addresses.
Tested Systems / Software (with versions): F2L-3000 version 4.0.0 is the only platform that has been manually tested. Earlier versions and other, similar models may also be vulnerable as the platform is sold in various configurations.
Vendor Contact: Files2Links - http://www.files2links.com/
Title: DDIVRT-2009-26 LogRover SQL Injection Authentication Bypass
Severity: Medium
Date Discovered: May 12th, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Geoff Humes and r@b13$
Vulnerability Description: The login screen of the LogRover web interface is vulnerable to a SQL Injection which can allow remote attackers to login to the system via an authentication bypass.
Solution Description: Limit access to the login page to internal networks and trusted users only.
Tested Systems / Software (with versions): LogRover version 2.3 for Windows XP
Vendor Contact: LogRover - http://www.logrover.com/
Title: DDIVRT-2009-25 IPsession SQL Injection Vulnerability
Severity: Medium
Date Discovered: March 31st, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: IPsession runs a web interface on port 8090 that requires valid login credentials. This interface uses user supplied input to form a database query and is vulnerable to SQL injection. This may be used to bypass authentication.
Solution Description: Limit access to the login page to internal networks and trusted users only.
Tested Systems / Software (with versions): Unknown version on Windows 2003
Vendor Contact: IPcelerate - www.ipcelerate.com/ipsession.html
Title: DDIVRT-2009-24 Precidia Ether232 Memory Corruption
Severity: Medium
Date Discovered: March 10th, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and princeofnigeria and r@b13$
Vulnerability Description: Certain Precidia Ether232 devices contain memory overwrite and authentication flaws. By making malformed GET requests to the built-in web server on certain Precidia Ether232 devices, it is possible to arbitrarily overwrite memory on the device and cause unknown impact.
Solution Description: At this point in time, Precidia Technologies has not provided a firmware upgrade addressing the memory corruption flaw. As a workaround, Precidia Technologies suggests that users disable the web server on the device through the serial or telnet configuration interface.
Tested Systems / Software (with versions): Precidia Ether3201-232 w/ firmware 3.00.250, Precidia Ether232 Duo w/ firmware 5.00.02, Other versions are believed to be vulnerable.
Vendor Contact: Precidia Technologies - solutions@precidia.com, support@precidia.com
Title: DDIVRT-2009-23 Apache ActiveMQ Numerous Cross Site Scripting Issues
Severity: Low
Date Discovered: February 23rd, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: ActiveMQ 5.2.0's /admin interface gathers input from the user in numerous forms which are not properly sanitized. Attackers may insert script tags to have them execute when a user browses the affected areas of the page.
Solution Description: User-supplied inputs should not be rendered as executable script code when presented back to the user.
Tested Systems / Software (with versions): Windows XP SP3, ActiveMQ 5.2.0 Release Windows Binary
Vendor Contact: The Apache Software Foundation http://activemq.apache.org/
Title: DDIVRT-2009-22 SMART Board Whiteboard Directory Traversal Vulnerability
Severity: High
Date Discovered: January 19, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: A directory traversal condition exists in SMART Web Server whereby arbitrary files may be retrieved from this host's file system. Attackers may leverage this issue to gain access to sensitive information stored on this host.
Solution Description: No patch is available at this time.
Tested Systems / Software (with versions): Windows XP, SMART Board Whiteboard
Vendor Contact: SMART Technologies ULC http://www2.smarttech.com/
Title: DDIVRT-2009-21 vBook Login Application Cross-site Scripting Vulnerability
Severity: Low
Date Discovered: January 19, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: Alterations of the title and message parameters in vBook allow attacks to specify arbitrary web or scripting content. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link.
Solution Description: No patch is available at this time.
Tested Systems / Software (with versions): Windows Server 2003, IIS vBooks v 4.2.17
Vendor Contact: Retrieve Technologies, Inc. http://www.retrieve.com/index.html
Title: DDIVRT-2009-20 NetMRI Login Application Cross-site Scripting Vulnerability
Severity: Medium
Date Discovered: January 19, 2009
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: David Marshall and r@b13$
Vulnerability Description: NetMRI contains a cross-site scripting (XSS) issue whereby portions of the GET request are echoed back in an error page. This allows scripting tags to be executed by the browser to perform XSS attacks. Such an attack would require convincing a user to click on a specially crafted link.
Solution Description: On February 18, 2009, Netcordia released a patch named "CrossScriptPatch.gpg" to address this vulnerability in all currently supported versions of NetMRI through v3.0.1. Customers can acquire the patch through the normal mechanisms or contact Netcordia Technical Support for assistance. Additionally, the necessary changes will be incorporated in future versions beginning with NetMRI v3.0.2.
Tested Systems / Software (with versions): Red Hat Linux, NetMRI
Vendor Contact: Netcordia http://www.netcordia.com/products/netmri-event-analysis.asp
Title: DDIVRT-2009-19 HP JetDirect Web Administration Directory Traversal
Severity: High
Date Discovered: October 23, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Shmoov and r@b13$
Vulnerability Description: The HP-ChaiSOE/1.0 embedded web server on certain HP JetDirect printers allows a potential attacker to gain read only access to directories and files outside of the web root. An attacker can leverage this flaw to read arbitrary system configuration files, cached documents, etc. Information obtained from an affected host may facilitate further attacks against the host. Exploitation of this flaw is trivial using common web server directory traversal techniques.
Solution Description: The vendor has released an update. See http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01623905 for more details. Digital Defense, Inc. recommends restricting access to the HP JetDirect web administration interface to authorized hosts only.
Tested Systems / Software (with versions): Embedded web server HP-ChaiSOE/1.0 on:
HP JetDirect 2420
HP JetDirect 4250
Vendor Contact: HP http://www.hp.com/
Title: DDIVRT-2008-18 Orb Directory Denial of Service
Severity: High
Date Discovered: October 21, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$
Vulnerability Description: Orb Networks' Orb media server is vulnerable to a denial of service condition. Sending malformed http requests may crash the service denying service to legitimate users.
Solution Description: Use firewall rules to restrict access to authorized users of the Orb server.
Tested Systems / Software (with versions): Orb version 2.01.0022 on Windows XP Pro SP2 Orb version 2.01.0017 on Windows XP Pro SP2 Nullsoft Winamp Remote Server Beta (featuring Orb version 2.01.0013) on Windows XP Pro SP2.
Vendor Contact: Orb Networks, www.orb.com
Title: DDIVRT-2008-17 Orb Directory Traversal
Severity: High
Date Discovered: October 21, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$
Vulnerability Description: Orb Networks' Orb media server is vulnerable to directory traversal attacks. Users can leverage specially crafted GET requests to read arbitrary files.
Solution Description: Use firewall rules to restrict access to authorized users of the Orb server. This issue is fixed in version 2.01.0022 available at http://www.orb.com/download/us/setup_2.01.0022.exe.
Tested Systems / Software (with versions): Orb version 2.01.0017 on Windows XP Pro SP2 Nullsoft Winamp Remote Server Beta (featuring Orb version 2.01.0013) on Windows XP Pro SP2.
Vendor Contact: Orb Networks, www.orb.com
Title: DDIVRT-2008-15 iPhone Configuration Web Utility 1.0 for Windows Directory Traversal
Severity: High
Date Discovered: October 2, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Corey LeBleu and r@b13$
Vulnerability Description: The iPhone Configuration Web Utility allows centralized management of iPhone configuration settings. The iPhone Configuration Web Utility 1.0 for Windows web interface is vulnerable to a common web directory traversal attack. Successful exploitation will result in arbitrary read-only file access outside of the iPhone Configuration Web Utility 1.0 web root.
Solution Description: Filter network traffic so that only trusted users can access the web interface.
Tested Systems / Software (with versions): Windows XP Professional iPhone Configuration Web Utility 1.0 for Windows
Vendor Contact: Apple Inc., www.apple.com
Title: DDIVRT-2008-14 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point Malformed HTTP POST DoS
Severity: Medium
Date Discovered: May 20, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Brandon Shilling and r@b13$
Vulnerability Description: The 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point is an enterprise-grade wireless access point. The web management interface is vulnerable to a DoS condition due to improper validation of malformed HTTP POST requests. Successful exploitation will result in a complete DoS of the device.
Solution Description: 3Com has not addressed this issue at this time. Digital Defense, Inc. does not currently know of any work arounds for this flaw.
Tested Systems / Software (with versions): Tested against 3Com Wireless 8760 Dual Radio 11a/b/g PoE Access Point, firmware unknown.
Vendor Contact: 3Com, www.3com.com
Title: DDIVRT-2008-13 AVTECH PageR Enterprise Directory Traversal
Severity: Medium
Date Discovered: July 1, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Corey LeBleu and r@b13$
Vulnerability Description: PageR Enterprise is a centralized device / server event monitoring system. The PageR Enterprise server web interface is vulnerable to a common web directory traversal attack. Successful eploitation will result in arbitrary read-only file access outside of the PageR Enterprise web root.
Solution Description: AVTECH has addressed this flaw in PageR version 5.0.7, which was available for public use on August 13, 2008.
Tested Systems / Software (with versions): Tested against PageR Enterprise/4.3.7 running on a Microsoft Windows 2000 system. Other versions of PageR Enterprise may be vulnerable.
Vendor Contact: AVTECH, www.avtech.com, Info@AVTECH.com
Title: DDIVRT-2008-12 ServerView SnmpGetMibValues.exe Buffer Overflow
Severity: High
Date Discovered: May 1, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James, Mike James and r@b13$
Vulnerability Description: ServerView is a server management suite. Several buffer overflow conditions exist in remotely-accessible portions of the suite. Authenticated users (by default, all users) can cause a stack overflow by sending a specially-crafted URL to the ServerView web interface.
Solution Description: Authenticate remote users who use the web interface to minimize potential malicious users.
Tested Systems / Software (with versions): ServerView 04.60.07 was tested on Windows XP. Other versions are assumed to be vulnerable.
As of yet, a patch has not been issued by the vendor.
Vendor Contact: Fujitsu Siemens, www.fujitsu-siemens.com/
Title: DDIVRT-2008-11 BadBlue uninst.exe Denial of Service
Severity: Medium
Date discovered: March 5, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$
Vulnerability Description: BadBlue is a web server used for peer-to-peer file sharing. By default, several executable files are stored in the web root: badblue.exe, uninst.exe, and dyndns.exe. Executable files stored in the web root of BadBlue can be launched remotely by any user. This can be leveraged to create a DoS condition by repeatedly invoking the uninst.exe executable. Due to the fact that BadBlue has not released a patch for the previously documented directory traversal vulnerability (CVE 2007-6378), an attacker may utilize these two flaws in conjunction to place a malicious executable in the web root and compromise a vulnerable server.
Solution Description: Restrict access to the executables already in the web root (badblue.exe, uninst.exe, and dyndns.exe) and take steps to ensure that users cannot write files to the web root.
Tested Systems / Software (with versions): BadBlue Personal Edition version 2.72 has been tested on Windows XP and Windows Server 2003. Other versions and systems are assumed to be vulnerable.
Vendor Contact: BadBlue, www.badblue.com
The previously undocumented flaw within Sentinel Protection Server has processed through Digital Defense, Inc.'s Vulnerability Disclosure Program. The release schedule appears below.
Should you have any questions regarding this advisory or this vulnerability specifically, please feel free to contact Client Support at 888.273.1412.
Title:DDIVRT-2008-10 PacketTrap PT360 Tool Suite TFTP Arbitrary File Access
Severity: High
Date discovered: January 29, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: princeofnigeria and r@b13$
Vulnerability Description: The default installation of the PacketTrap PT360 Tool Suite Version 1.1.33.1.0 TFTP server component is susceptible to directory traversal attack. A remote or local attacker can exploit this flaw to retrieve arbitrary files outside of the TFTP server root directory. This vulnerability also allows a remote attacker to overwrite and modify system files which could facilitate a full system compromise.
Solution Description: PacketTrap Networks, Inc. released a patch (#3302) for this flaw on February 29, 2008
Tested Systems / Software (with versions): Windows XP Professional Service Pack 2, PacketTrap PT360 Tool Suite Version 1.1.33.1.0.
Other versions may be vulnerable to this flaw.
Vendor Contact: PacketTrap Networks, Inc., www.packettrap.com, sales@packettrap.com,
support@packettrap.com,
info@packettrap.com
The previously undocumented flaw within Sentinel Protection Server has processed through Digital Defense, Inc.'s Vulnerability Disclosure Program. The release schedule appears below.
Should you have any questions regarding this advisory or this vulnerability specifically, please feel free to contact Client Support at 888.273.1412.
Title: DDIVRT-2008-9 PacketTrap PT360 Tool Suite TFTP Denial of Service
Severity: Medium
Date discovered: January 29, 2008
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: princeofnigeria and r@b13$
Vulnerability Description: The default installation of the PacketTrap PT360 Tool Suite Version 1.1.33.1.0 TFTP server component is susceptible to denial of service condition. A remote or local attacker can exploit this flaw by sending a specially crafted packet to the TFTP server. Successful exploitation of this flaw will cause the TFTP server process to crash. The TFTP server will need to be restarted to resume normal TFTP server operations.
Solution Description: PacketTrap Networks, Inc. released a patch (#3302) for this flaw on February 29, 2008
Tested Systems / Software (with versions): Windows XP Professional Service Pack 2, PacketTrap PT360 Tool Suite Version 1.1.33.1.0.
Other versions may be vulnerable to this flaw.
Vendor Contact: PacketTrap Networks, Inc.,/www.packettrap.com, sales@packettrap.com,
support@packettrap.com,
info@packettrap.com
The previously undocumented flaw within Sentinel Protection Server has processed through Digital Defense, Inc.'s Vulnerability Disclosure Program. The release schedule appears below.
Should you have any questions regarding this advisory or this vulnerability specifically, please feel free to contact Client Support at 888.273.1412.
Title: Title: DDIVRT-2007-7 Job File Scheduler Authentication Bypass
Severity: Severity: High
Date Discovered: Date Discovered: November 14th, 2007
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Michael Sunderland
Vulnerability Description: The Job File Scheduler web application is vulnerable to an authentication bypass through SQL injection. Successful exploitation of this vulnerability allows administrative level access to the web application with the ability to make modifications to the configuration of the application and all scheduled jobs. Due to the sensitivity of the data handled through this application, the extent of the compromise could result in the disclosure of personal information such as names, addresses, financial account numbers, SSN, etc.
Solution Description: Digital Defense, Inc. initially notified Trust Data Solutions, LLC on November 28, 2007 and received confirmation from the notification on the same day. Trust Data Solutions, LLC informed DDI that this flaw had previously been identified internally. Special thanks to Trust Data Solutions, LLC for their willingness to work with the DDI VRT staff.
Due to the fact that Trust Data Solutions, LLC does not offer automated patching, it is necessary to contact Trust Data Solutions, LLC specifically concerning the SQL injection flaw in order to obtain the fix.
Tested Systems / Software (with versions): Red Hat Linux / Apache v2.0.52 / Job File Scheduler v2.0 Other versions may be vulnerable to this flaw.
Vendor Contact: Trust Data Solutions, LLC, http://lobbytracking.com, Email: support@trustdatasolutions.com
Mailing Address:
Trust Data Solutions
PO Box 532029
Grand Prairie, TX 75053-3600
Toll Free: 1-800-527-3600 ext 1300
Direct: 972-595-1300
Fax: 972-595-1297
Title: DDIVRT-2007-6 Sentinel Protection Server Directory Traversal
Severity: High
Date discovered: October 10, 2007
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: Corey LeBleu
Vulnerability Description: A classic directory traversal condition exists within the Sentinel Protection Server. By sending in an HTTP GET request with a path of a file proceeded by and escaped traversal sequence, an attacker can leverage an arbitrary file access condition on the affected system
Solution Description: Digital Defense, Inc. initially notified SafeNet on October 12, 2007 and received confirmation from the notification on October 30, 2007.
SafeNet informed DDI that it would be releasing a patch for this flaw on November 16, 2007. At this time, DDI does not have a resolution number for the SafeNet patch for this flaw.
Tested Systems / Software (with versions): Sentinel Protection Server 7.1
Other versions may be vulnerable to this flaw.
Vendor Contact: SafeNet, www.safenet-inc.com
The previously undocumented flaw within Sentinel Protection Server has processed through Digital Defense, Inc.'s Vulnerability Disclosure Program. The release schedule appears below.
Should you have any questions regarding this advisory or this vulnerability specifically, please feel free to contact Client Support at 888.273.1412.
Title: DDIVRT-2007-4 NetSupport Manager Authentication Bypass
Severity: High
Date discovered: September 4, 2007
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13s
Vulnerability Description: The NetSupport Manager client that listens on TCP port 5405 does not properly handle authentication sessions. It is possible to pose as the NetSupport Manager, associate to a client, and then issue commands without performing the authentication sequence. Both the basic and advanced authentication schemes can be bypassed in the same manner. When properly exploited, this flaw will results in a complete compromise of the target system.
Solution Description: Digital Defense, Inc. notified NetSupport on September 9, 2007 of this flaw but did not receive any response or acknowledgement from the vendor. However, NetSupport has released a patch for this flaw as described by NetSupport Technical Document ID TD543.
Tested Systems / Software (with versions): NetSupport Manager 10.20 running on Windows XP SP2 and Windows 2K3 SP2. NetSupport acknowledges in Technical Document ID TD543 that the following versions of the NetSupport Manager are vulnerable to this flaw: NSM 5.00, NSM 5.01, NSM 5.02, NSM 5.02f1, NSM 5.03, NSM 5.05, NSM 5.30, NSM 5.31, NSM 6.00, NSM 6.10, NSM 6.11, NSM 7.01, NSM 7.10, NSM 8.00, NSM 8.10, NSM 9.00, NSM 8.50, NSM 8.60, NSM 9.10, NSM 9.50, NSM 9.60, NSM 10.00, NSM 10.20
Vendor Contact: NetSupport, www.netsupportmanager.com
The previously undocumented flaw within NetSupport Manager has processed through Digital Defense, Inc.'s Vulnerability Disclosure Program. The release schedule is listed below.
Should you have any questions regarding this advisory or this vulnerability specifically, please feel free to contact Client Support at 888.273.1412.
Title: DDIVRT-2007-5 NetSupport Manager Client Buffer Overflow
Severity: Medium
Date discovered: September 4, 2007
Discovered by: Digital Defense, Inc. Vulnerability Research Team
Credit: sxkeebler and r@b13$
Vulnerability Description: The NetSupport Manager client that listens on TCP port 5405 does not properly validate input supplied during the initial connection sequence. Specifically, during the configuration exchange part of the initial connection setup, the client does not appear to validate the supplied data which can result in a DoS of the NetSupport Manager client
or the host in general. Remote code exploitation is also thought to be possible. Within Technical Document ID TD545, NetSupport acknowledges that this flaw is present in unspecified versions of NetSupport School Student.
Solution Description: Digital Defense, Inc. notified NetSupport on September 9, 2007 of this flaw but did not receive any response or acknowledgement from the vendor. However, NetSupport has released a patch for this flaw as described by NetSupport Technical Document ID TD545.
Tested Systems / Software (with versions): NetSupport Manager 10.20 running on Windows XP SP2 and Windows 2K3 SP2.
NetSupport acknowledges in Technical Document ID TD545 that the following versions of the NetSupport Manager are vulnerable to this flaw:
NSM 10.00, NSS 9.00, NSM 10.20
Title: TFTPdWin 0.4.2 Server Directory Traversal Vulnerability
Severity: High
Date Discovered: March 15, 2007
Discovered by: Digital Defense, Inc. Vulnerability Research Team
Vulnerability Description: The version of TFTPdWin contains a vulnerability that allows a potential intruder to gain read and write access to directories and files outside of the TFTP root. Successful exploitation of this vulnerability may also allow a remote, unauthenticated attacker to overwrite and modify system files, which could facilitate the execution of arbitrary code, the result of which could ultimately lead to a full system compromise.
Solution Description: No patch is available at this time.
Tested Systems / Software (with versions): Windows XP Professional Service Pack 2, TFTPdWin version 0.4.2. Other versions may be vulnerable.
Vendor Contact: ProSysInfo, www.prosysinfo.webpark.pl
The TFTPdWin 0.4.2 Server Directory Traversal vulnerability has processed through Digital Defense, Inc.'s Vulnerability Disclosure Program. The release schedule is listed below.
Should you have any questions regarding this advisory or this vulnerability specifically, please feel free to contact Client Support at 888.273.1412.
Title: eFileCabinet Authentication Bypass
Severity: Medium
Date Discovered: December 20, 2006
Discovered By: Digital Defense, Inc. Vulnerability Research Team
Vulnerability Description: The eFileCabinet software suite houses digital images of files. Though the eFileCabinet HTTP interface is password protected, it is possible to bypass said access controls to gain partial access to the eFileCabinet software. In order to bypass security, an attacker must supply a non-existent filecabinetnumber, such as 0. An attacker can utilize this access to partially navigate the eFileCabinet HTTP interface. Successful exploitation of this flaw could allow an attacker to create eFileCabinet drawers or potentially to obtain access to sensitive information.
Solution Description: The vendor has been notified of this flaw but has not provided a patch. For more information concerning the eFileCabinet Authentication Bypass flaw, please contact eFileCabinet.
Vendor Verified Systems / Software (with versions): Confirmed on eFileCabinet Version 3.3. Other versions may be vulnerable.
Vendor Contact: eFileCabinet, www.efilecabinet.com
The eFileCabinet Authentication Bypass vulnerability has processed through Digital Defense, Inc.'s Vulnerability Disclosure Program. The release schedule is listed below.
Should you have any questions regarding this advisory or this vulnerability specifically, please feel free to contact Client Support at 888.273.1412.