Re: [Full-disclosure] [NETRAGARD SECURITY ADVISORY] [Cambium Group, LLC. CAMAS Content Management System -- Multiple Critical Vulnerabilities][NETRAGARD-20070820]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear SNOSOFT,

Thanks to you for proving every insult made to your company as
truths. Demonstrating monstrous volume of elementary computer
hacking features in some unnamed and unknown web based interface
does separate you from the Valdis's of the community, but not by
much.

You sirs should return to crying about children hijacking your xbox
live accounts after defeating you in video games, and leave the
more advanced computer security web hacking to Stefan Esser and his
technical James Bond xbox hacking team.

Also please learn to better format your pasted advisories to this
list.

thanks and all the best to you,
- -bm

On Tue, 24 Feb 2009 16:00:00 -0500 Netragard Advisories
<advisories@xxxxxxxxxxxxx> wrote:
************************* Netragard, L.L.C
Advisory***************************

The Specialist in Anti-Hacking.

[Posting Notice]
-------------------------------------------------------------------
------------------------------
If you intend to post this advisory on your web page please create
a
clickable link back to the original Netragard advisory as the
contents
of the advisory may be updated. The advisory can be found on the
Netragard website at http://www.netragard.com/

For more information about Netragard visit
http://www.netragard.com

[Advisory Information]
-------------------------------------------------------------------
------------------------------
Contact : Adriel T. Desautels
Researcher : Kevin Finisterre
Advisory ID : NETRAGARD-20070820
Product Name : CAMAS (Content Management System)
Product Version : Unknown
Vendor Name : Cambium Group, LLC.
Type of Vulnerability : Multiple Critical Vulnerabilities
Impact : Critical
Vendor Notified : 08/22/2007

[Product Description]
-------------------------------------------------------------------
------------------------------
"Cambium Group's content management system (CAMAS) give you
independence from outdated content and expensive "web masters".
Let
the user-friendly interface of CAMAS save you time and money with
the
freedom to manage your entire web channel yourself."

Taken From:
http://www.cambiumgroup.com/interior.php/pid/3/sid/3

[Technical Summary]
-------------------------------------------------------------------
------------------------------
The Cambium Group Content Management System (CAMAS) Failed most
Open Web Application Security Project ("OWASP") criterion during
testing.
Specific areas of vulnerability that were identified are as
follows:

Note: A reference to each is provided at the following URL:

--> https://www.owasp.org/index.php/Category:Vulnerability <--

[+] Authentication Testing (FAIL)
-------------------------------------------------------------------
------------------------------
CAMAS does not transport all authentication credentials over a
secure
encrypted channel. It is possible to capture users credentials in

transit.

[+] Code Quality Testing (FAIL)
-------------------------------------------------------------------
------------------------------
CAMAS does not follow industry best practices as defined by OWASP.
Specifically, CAMAS is missing critical security functionality
that
leaves
CAMAS powered websites open to attack by internet based hackers.

[+] Error Handling Testing (FAIL)
-------------------------------------------------------------------
------------------------------
CAMAS is missing proper error handling and event logging
capabilities
as defined by OWASP. This lack of proper error handling and
logging
results in information leakage that can be used by an attacker to

further
compromise a CAMAS powered website.

[+] Input Validation Testing (FAIL)
-------------------------------------------------------------------
------------------------------
CAMAS does not perform proper Input Validation. In some areas
CAMAS
does not perform any input validation. As a result it is possible
to
execute
arbitrary database commands against databases that support CAMAS
powered websites. It is also possible to take control of CAMAS
powered
websites, databases and web-servers. CAMAS does not use
Parameterized Stored Procedures which is the industry standard for
defending against SQL Injection.

[+] Logging and Auditing Testing (FAIL)
-------------------------------------------------------------------
------------------------------
CAMAS is missing Logging and Auditing functionality as defined by
OWASP.

[+] Password Management (FAIL)
-------------------------------------------------------------------
------------------------------
CAMAS does not perform proper password storage and management.
CAMAS does not properly support password aging, strong password
enforcement, or strong password cryptographic protection. During
testing
Netragard was able to crack 98% of the passwords that were stored
by
CAMAS.

[+] Sensitive Data Protection Testing (FAIL)
-------------------------------------------------------------------
------------------------------
CAMAS does not provide sufficient levels of Data Protection for
businesses whose users use CAMAS powered websites to access
sensitive information or to login to third party websites through
login
forms hosted on CAMAS powered websites.

[Impact]
-------------------------------------------------------------------
------------------------------
[Impact varies from installation to installation]

- Theft of customer data
- Hijack online banking portal
- Hijack online banking portal links
- Capture data entered into forms
- Dump database contents
- Alter database contents
- Gain access to server running CAMAS
- Phish using XSS
- Include files from remote locations
- Include files from the file system
- Information Disclosure
- Website Defacement
- etc.

[Proof Of Concept]
-------------------------------------------------------------------
------------------------------
Proof of concept code exists but is not provided as to not
increase
CAMAS
users overall risk levels. Any website that reads "Powered by the

Cambium
Group, LLC." is a CAMAS powered website.

[Vendor Status and Chronology]
-------------------------------------------------------------------
------------------------------
08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered
08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full
detail
08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to
Notification
08/27/2007 10:31:30 AM EDT - Conference Call Scheduled
08/29/2007 03:00:00 PM EDT - Held Conference call - Presented
Solution
08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group
Faded
09/26/2008 11:17:35 PM EDT - Issues remain unfixed
02/09/2009 09:00:00 PM EDT - Issues remain unfixed
02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No
affiliation
to Netragard)
02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for
Release

[Solution]
-------------------------------------------------------------------
------------------------------
Netragard strongly recommends that the Cambium Group, LLC. modify
CAMAS to meet OWASP criterion as defined by the OWASP Testing
Guide
version 3. CAMAS users can partially or entirely protect
themselves by
installing a reverse application proxy such as BlueCoat(tm) or
ModSecurity2. Other Content Management Systems that meet industry
best practices with respect to security might also be considered.

[Disclaimer]
-------------------------------------------------------------------
------------------------------
Netragard, L.L.C. assumes no liability for the use of the
information
provided in this advisory. This advisory was released in an effort
to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to
solicit
business.

This advisory is also published at:
http://www.netragard.com -- and -- http://snosoft.blogspot.com
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wpwEAQMCAAYFAkmkayYACgkQhNp8gzZx3sj3MQP/VLhX6DVzCHv0bB7X4hpsZgR9sNZG
yTznxGMvlxtqUvjAq1ssR/gX2826a9WKS6tclsvOXu+1CrB+1yulG6uTI9t7NmDIpp/j
+zC9v9sztE9gm/Rj3IoSC33U37g6os3NkYsYZ/La/LCx4GLflkAvPN6fbcgPW0E3wwfs
q4uRjsU=
=B3aD
-----END PGP SIGNATURE-----

--
Become a medical transcriptionist at home, at your own pace.
http://tagline.hushmail.com/fc/BLSrjkqfMmeOwR2r84s2x0D7IaMZV2tdQQpFcchXy4aCudZvRFDOuayrUK8/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages