Oliver's Blog Yet Another Needless BLOG


Octogate UTM Admin Interface Directory Traversal

Filed under: Advisories,Allgemein — oliver.karow @ 16:32

October last year, I had a quick look at the Octogate UTM (virtual) Appliance, which is an Application Firewall, Deep Inspection Firewall, Intrusion Detection and Prevention device for SMB.
Because of limited spare time, I stopped after I discovered the first vulnerability. In this case, I was able to access all configuration files and scripts, inside and outside of the webroot, with the privileges of the httpd, without authentication.

Today, after approx 10 month, I decided to clean up my HDD, and to publish an Advisory, which you can find here: http://www.oliverkarow.de/research/octogate.txt

One little step into a more secure world 😉


Dr. Web Administrator Interface – Persistent Script Code Injection Vulnerability

Filed under: Advisories,linkedin — oliver.karow @ 15:23

After almost 2 years of inactivity, i will release another small advisory today. Its one of this „product-installation-takes-more-time-than-finding-the-vulnerability“ findings.

This time, the product is Dr. Web Antivirus Enterprise Server and the vulnerability is within its administration web interface.
If an attacker suplies java script code instead of a username on the login page, this script code will be automatically executed every time an administrative user is viewing the audit log. This attack can be used to steal authentication cookies or to drive further attacks.

I know, i should not spend my time with such low hanging fruits, but currently i do not have the time to dig deeper into products to search for more sophisticated vulnerabilities.

The advisory can be found here:    http://www.oliverkarow.de/research/drweb.txt


GFI WebMonitor Admin UI Remote Script Code Injection

Filed under: Advisories,Allgemein,linkedin — oliver.karow @ 12:29

Today I released a security advisory regarding GFI WebMonitor. WebMonitor is a filtering and monitoring solution for web traffic, which also protects against viruses, spyware, malware and phishing scams.

During a quick security analysis of the product, i figured out a way to inject script code, that will be executed automatically within the Administrator UI.

The advisory can be found here: GFIWebMonitor.txt

Added by Admin:  A screenshot, where i injected an iframe into the Admin Interface… just to visualize it to GFI’s security response 🙂



Astaro Security Gateway V7 Vulnerabilities

Filed under: Advisories,Allgemein,linkedin — oliver.karow @ 13:10

Some weeks ago i discovered some vulnerabilities within Astaro Security Gateway V7.

Among other features, the ASG works as a Webfilter, to regulate employees webbrowsing activity.

Due to weak input filtering, an attacker can use the vulnerabilities to inject persistant script code, which will be executed inside the ASG’s admin console.
It is also possible to conduct cross site scripting attacks against the webusers, protected by the ASG, due to a XSS vuln within the webbroxies error message handling.

All vulnerabilities are meanwhile fixed by the vendor. A detailed advisory will be published, soon ( or less soon, depending on my sparetime 😉 )


Multiple Vulnerabilities within MailScan Admin Interface

Filed under: Advisories,linkedin — oliver.karow @ 11:36

Today i’m going to publish an advisory regarding MailScan from Microworld. Microworld is a vendor of Antivirus, Anti-Spyware and Anti-Spam solutions. MailScan itself is „the world’s most advanced Real-Time Antivirus and AntiSpam solution for Mailservers“… at least this is what the company claims to be on their website….

MailScan now comes with a Webinterface, offering web based administration. Unfortunately the webinterface is offering this services also to hackers……. I did not come across a product from a security products vendor for a long time, that was as vulnerable as this one… it took me about 25 seconds to abuse the webinterface to access all files on the system without authentication by the stupid old directory traversal vulnerability…..

Since this vuln seemed to be to lame to publish as a separate vulnerability, i took some more time to research the authentication and session handling…. and i was surprised again…..
there was none…. ok, to be fair i have to say… almost none…. Authentication was implemented via cookie variables „user=admin“ and „IsAdmin=true“ 🙂

There were a lot more vulns which i stopped to enumerate after a time, because i got bored.
Some of them i added to the advisory which you can find here:


BitDefender – Unauthorized Remote File Access Vulnerability

Filed under: Advisories,linkedin — oliver.karow @ 13:31

Today I published an advisory for the BitDefender Update Server. BitDefender is one of the larger vendors for Antivirus software.

The update servers function is to deliver new Antivirus patterns and engine updates to the software clients. Therefore it is using the http protocol and a http daemon. The daemon does not require authentication and is vulnerable to the oldest vulnerability known for webservers: The directory traversal attack.

This means everyone who is able to connect to the port of the Update Server with his webbrowser, is able to read all files on the server (at least on the same partition/drive), including Windows configuration files, password files etc., etc.

It also seems, that BitDefender does not have a dedicated response team, responsible for vulnerabilities within their own products. The mail I send to them, in order to inform them about their vulnerability was responded by an automated mail, requesting me to register on their website in order to access their support material…… sorry guys, i dont have time for such games…. please learn how other AV- and Softwarevendors are handling this!!!

You can find the original advisory here.

More of my humble advisories can be found on my website….


Perforce P4Web Denial Of Service through resource starvation

Filed under: Advisories,linkedin — oliver.karow @ 12:13

Symantec recently published an advisory regarding a DoS-Vulnerability within Perforce software, which i discovered about ten month ago… Well, 6 month ago i left symantec… but it is nice to see, that I’m still bringing an added value to Symantec 😉

You can find more about the advisory

here and there


Secure Computing Security Reporter

Filed under: Advisories,linkedin — oliver.karow @ 16:59

Last friday i published an advisory for Secure Computing’s Security Reporter. It is possible to bypass the authentication mechanism and to access all files on the partition. You can download the original advisory at http://www.oliverkarow.de/research/securityreporter.txt. It is also mirrored on securityfocus: http://www.securityfocus.com/bid/25027

Powered by WordPress