An advisory by EnableSecurity.
ID: ES-20100601
Advisory URL:
http://resources.enablesecurity.com/advisories/ES-20100601-dotdefender4.txt
Affected Versions: version 4.0
Fixed versions: 4.01-3 (and later)
Description:
Applicure dotDefender is a Web Application Firewall that can be installed on
Windows and Linux servers.
From their website (applicure.com):
"dotDefender is the market-leading software Web Application Firewall (WAF).
dotDefender boasts enterprise-class security, advanced integration capabilities,
easy maintenance and low total cost of ownership (TCO). dotDefender is the
perfect choice for protecting your website and web applications today. "
Credits:
These vulnerabilities were discovered during WAF testing by Sandro Gauci of
EnableSecurity. We contacted AppliCure on May 17, 2010 about this vulnerability.
They were already working on a fix.
____________________________________________________________________________
Technical details:
The log viewer facility in dotDefender does not properly htmlencode user
supplied input. This leads to a cross site scripting vulnerability when the log
viewer displays HTTP headers.
____________________________________________________________________________
Demo:
One may use curl and insert headers containing html tags using the --header
switch.
Example:
curl "http://website.org/c?a=<script>" \
--header "<script>alert(1)</script>: aa"
When the administrator views the log viewer page, his/her web browser will
execute the attacker's javascript.
The following demo shows how an attacker can switch off dotDefender in order to
bypass any "protection" offered by the WAF:
http://vimeo.com/12132622
Timeline:
May 17, 2010: Initial contact
Jun 01, 2010: Release of this advisory
Solution:
Upgrade to the latest version of dotDefender:
http://www.applicure.com/