wp--02-0005: Multiple Vulnerabilities in SuperScout Web Reports ServerFrom: Matt Moore (firstname.lastname@example.org)
- Previous message: Jonathan G. Lampe: "Kill a Unisys Clearpath with nmap port scan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 02 Oct 2002 16:53:18 +0100 From: Matt Moore <email@example.com> To: firstname.lastname@example.org, email@example.com
Westpoint Security Advisory
Title: Multiple Vulnerabilities in SuperScout Web Reports Server
Risk Rating: High
Software: SurfControl SuperScout WebFilter
Platforms: Win32 (WinNT/ Win2k)
Vendor URL: www.surfcontrol.com
Author: Matt Moore <firstname.lastname@example.org>
Date: 1st October 2002
Advisory ID#: wp-02-0005
CVE#: CAN-2002-0705 - username/passwords accessible
CAN-2002-0706 - weak encryption for passwords
CAN-2002-0707 - large GET requests
CAN-2002-0708 - Triple dot directory traversal
CAN-2002-0709 - SQL injection
Surfcontrol's SuperScout Web Filter for Windows allows companies to monitor
and regulate their employees use of the internet. It offers comprehensive
reporting capabilities, and provides a 'web' interface for report
Multiple vulnerabilities in the Web Reports Server could allow remote
to compromise the host on which SuperScout is installed and also modify
information from the database that it uses.
Usernames and Passwords Retrievable.
The file located at:
contains the usernames and passwords for each user of the reports server.
The usernames are in plain text, whilst the passwords are encrypted.
The EncryptString function takes two parameters 'text string' and 'key'.
hence it is trivial to decrypt the passwords. (The key is 'test').
The default administrative password, '3&8>>' decrypts to 'admin'.
As a result of this, an attacker can access any reports available
on the server.
DoS via Large GET request
Repeated large GET requests cause the reports service to consume 100% CPU,
at which point it no longer services requests. The server does appear to
recover eventually. However, this was not tested extensively.
Triple Dot Directory Traversal
An attacker can retrieve any file on the server via a simple directory
traversal attack, e.g.
SQL Injection Vulnerability
The various reports available are implemented as .dll's. Several of
no input validation, and hence it is possible that an attacker could
arbitrary SQL queries against the database:
http://reports-server:8888/SimpleBar.dll/RunReport ?...<various parameters>
The banner returned by the server is 'MS-MFC-HttpSvr/1.0'. A search for
returned the following link:
The reports server appears to be based on a sample application from
Other servers based on this may be vulnerable to the directory traversal
and DoS attacks.
The vendor, SurfControl was initially contacted on 18/07/02.
The vendor stated that they were looking at ways to deliver reports
in different formats, and that these would encompass tighter security.
They had no definite timescales for this, but suggested the following
No patch available. Vendor supplied workaround:
Disable the reports server and consider using a terminal session to
the server to access the reports.
This advisory is available online at: