205 lines
7.5 KiB
Text
Executable file
205 lines
7.5 KiB
Text
Executable file
Title:
|
|
======
|
|
elproLOG MONITOR WebAccess 2.1 - Multiple Vulnerabilities
|
|
|
|
|
|
Date:
|
|
=====
|
|
2013-09-24
|
|
|
|
|
|
References:
|
|
===========
|
|
http://www.vulnerability-lab.com/get_content.php?id=1086
|
|
|
|
|
|
VL-ID:
|
|
=====
|
|
1086
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
6.7
|
|
|
|
|
|
Introduction:
|
|
=============
|
|
Web-based access to your monitoring data. elproLOG MONITOR WebAccess enables you to reliably access your data from any computer
|
|
anywhere in the world. Regular it will be used in combination with a surveillance cam and dvr system too.
|
|
|
|
(Copy of the Vendor Homepage: http://www.elpro.com/en/products/software/product/elprolog-monitor-webaccess/pa/single/pc/product/ )
|
|
|
|
|
|
Abstract:
|
|
=========
|
|
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the elproLOG MONITOR WebAccess v2.1 web-application.
|
|
|
|
|
|
Report-Timeline:
|
|
================
|
|
2013-09-24: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Status:
|
|
========
|
|
Published
|
|
|
|
|
|
Affected Products:
|
|
==================
|
|
ELPRO-BUCHS AG
|
|
Product: elproLOG MONITOR-WebAccess 2.1
|
|
|
|
|
|
Exploitation-Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity:
|
|
=========
|
|
High
|
|
|
|
|
|
Details:
|
|
========
|
|
1.1
|
|
A remote blind SQL Injection web vulnerability is detected in the ELPRO elproLOG MONITOR WebAccess v2.1 Web-Application.
|
|
The SQL Injection vulnerability allows an attacker (remote) to execute/inject own SQL commands in the vulnerable
|
|
web-application database management system.
|
|
|
|
The sql injection vulnerability is located in the strend.php file. Remote attackers can inject own sql commands by
|
|
attacking via http GET method request the affected id parameter of the vulnerable strend.php file.
|
|
|
|
Exploitation of the sql injection vulnerabilities requires no or a low privileged application user account and no user interaction.
|
|
Successful exploitation of the vulnerability results in database management system & application compromise via remote sql injection.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] Trends
|
|
|
|
Vulnerable File(s):
|
|
[+] strend.php
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] id
|
|
|
|
|
|
|
|
1.2
|
|
A non persistent input validation vulnerability is detected in the elproLOG MONITOR WebAccess v2.1 Web-Application.
|
|
The bug allows remote attackers to force client side browser requests with manipulated web application context or
|
|
cross site links.
|
|
|
|
|
|
The first cross site scripting web vulnerability is located in the sensorview.php module when processing to load
|
|
a manipulated data parameter via GET. The attacker provokes the exception-handling to catch the invalid data error
|
|
with the injected script code (client-side).
|
|
|
|
The secound cross site scripting web vulnerability is located in the strend.php module when processing to load
|
|
a manipulated name parameter via GET. The attacker provokes the exception-handling to catch the invalid trend id
|
|
error with the injected script code (client-side).
|
|
|
|
The vulnerability can be exploited by remote attackers without required application user account but with low or
|
|
medium required user interaction. Successful exploitation of the vulnerability results in client side session hijacking,
|
|
account take-over, client side phishing, client side external redirects and client side manipulation of module context.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] sensorview
|
|
[+] trends
|
|
|
|
Vulnerable File(s):
|
|
[+] sensorview.php
|
|
[+] strend.php
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] data
|
|
[+] name
|
|
|
|
|
|
Proof of Concept:
|
|
=================
|
|
1.1 - SQL Injection
|
|
The remote sql injection web vulnerability can be exploited by remote attackers without privileged application user account or
|
|
user interaction. For demonstration or reproduce ...
|
|
|
|
PoC:
|
|
http://elpro.localhost:8080/elpro/strend.php?data=8331&id=1+1%27'[SQL INJECTION VULNERABILITY]--&name=1
|
|
|
|
|
|
|
|
1.2 - Client Side Cross Site Scripting
|
|
The client side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account or
|
|
user interaction. For demonstration or reproduce ...
|
|
|
|
|
|
PoC:
|
|
http://elpro.localhost:8080/elpro-demo/sensorview.php?data=ECOLOG-NET%20Testing-1%27%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28document.cookie%29%3C
|
|
Exception: Group: ECOLOG-NET Testing->"<
|
|
|
|
|
|
PoC:
|
|
http://elpro.localhost:8080/elpro-demo/strend.php?data=8331&id=0&name=->"<%27%27%3Ciframe%20src=http://vuln-lab.com%20onload=alert%28document.cookie%29%3C
|
|
Exception: Trend: Error ->"<
|
|
|
|
|
|
Solution:
|
|
=========
|
|
1.1
|
|
The sql injection web vulnerability can be patched by using a secure statement around the id parameter value implementation.
|
|
Encode and parse the input or setup an own new exception-handling to prevent future executions of sql commands.
|
|
|
|
|
|
1.2
|
|
Parse and encode the vulnerable data and name parameters to fix the client-side cross site scripting web vulnerability.
|
|
Ensure that the parameters are secure encoded in all different section of the application modules.
|
|
|
|
|
|
Risk:
|
|
=====
|
|
1.1
|
|
The security risk of the remote sql injection web vulnerability is estimated as high(+).
|
|
|
|
1.2
|
|
The security risk of the client-side cross site scripting web vulnerabilities are estimated as low(+)|(-)medium.
|
|
|
|
|
|
Credits:
|
|
========
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
|
|
|
|
|
|
Disclaimer:
|
|
===========
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
|
DOMAIN: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|