[Full-disclosure] FW: Re: Radware AppWall Web Application Firewall: Source code disclosure on management interface
- From: "Shaked Vax" <ShakedV@xxxxxxxxxxx>
- Date: Mon, 6 Jul 2009 15:18:41 +0300
Let's clarify what is the .inc vulnerability all about:
In order to take advantage of this vulnerability one needs to:
1. Have access to internal AppWall management URL
2. Have credentials (user and password) of the AppWall Web Interface. Without the credentials one cannot access the /Management/ folder at all !
Once you have access to the .inc file you can retrieve the server's source code. In most applications it is not "a good practice" (to say the least) to expose your source code even your authenticated users.
In AppWall's case there is nothing interesting to hide in the inc files, since if you have credentials, and you are looking to cause harm to the system, you can simply shutdown the AppWall service, change its IP address etc'. PHP source code is not interesting in this case.
This is not a critical issue and should be taken in relevant proportions.
From: Vladimir '3APA3A' Dubrovin [mailto:3APA3A@xxxxxxxxxxxxxxxx]
Sent: Friday, July 03, 2009 15:58 PM
To: Shaked Vax
Subject: Re: [Full-disclosure] radware AppWall Web Application Firewall: Source code disclosure on management interface
Dear Shaked Vax,
Are you sure Radware Team have analysed reflected attack via user's
browser (AppWall administrator visits malcrafted page, page redirects
his request to AppWall) before excluding remote vector?
--Thursday, July 2, 2009, 3:23:16 PM, you wrote to full-disclosure@xxxxxxxxxxxxxxxxx:
SV> Radware team has completed analysis of the reported issue, concluding
SV> that no AppWall customer using the product according to Radware
SV> deployment recommendations would be exposed to vulnerability as a result
SV> of this issue. This is due to the facts that this issue exists only on
SV> the management interface that is recommended to be connection to
SV> internal LAN only, and that it does not allow performing any actions
SV> that would influence machine functionality.
SV> Nevertheless, in order to enforce our commitment to deliver top
SV> security solution to our customers, Radware will supply a fix for this
SV> issue within its upcoming AppWall release.
SV> Shaked Vax
SV> AppWall Product Manager
SV> Full-Disclosure - We believe in it.
SV> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
SV> Hosted and sponsored by Secunia - http://secunia.com/
Но Гарри... я безусловно отдаю предпочтение ему, за
высокую питательность и какое-то особенно нежное мясо. (Твен)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: Re: [Full-disclosure] Oops! About xscreensaver 5.01
- Next by Date: Re: [Full-disclosure] One Click Ownage [White Paper and Scripts]
- Previous by thread: [Full-disclosure] Oops! About xscreensaver 5.01
- Next by thread: [Full-disclosure] HTTP Verb Tampering