Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30846
HistoryJun 14, 2014 - 12:00 a.m.

CVE-2014-2233 - "Server-Side Request Forgery" (CWE-918) vulnerability in "infoware MapSuite"

2014-06-1400:00:00
vulners.com
24
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2014-2233

"Server-Side Request Forgery" (CWE-918) vulnerability in "infoware MapSuite"

Vendor

infoware GmbH

Product

MapSuite

Affected versions

This vulnerability affects versions of MapSuite MapAPI prior to 1.0.36 and 1.1.49

Fixed versions

MapSuite MapAPI 1.0.36 and 1.1.49
Both patches are available since 2014-03-26.

Reported by

This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.

Severity

Medium

Exploitability

No authentication required

Description

Using a specially crafted URL to access the MapAPI it is possible to issue
HTTP(S) GET requests originating from the attacked server (behind the firewall)
and to read the response. This enables attackers to access web servers that are not
exposed to be accessed from the internet and thus allows to pivot further into the
targeted network.

Proof of concept

Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.

Migration

MapSuite MapAPI 1.0.x users should upgrade to 1.0.36 or later as soon as possible.
MapSuite MapAPI 1.1.x users should upgrade to 1.1.49 or later as soon as possible.

See also

CVE-2014-2232 as another vulnerability in the same module, which can be exploited
as an Absolute Path Traversal via the same input parameter.

Timeline

2014-02-20 Vulnerability discovered
2014-02-20 Vulnerability responsibly reported to vendor
2014-02-21 Reply from vendor acknowledging report
2014-02-26 Reply from vendor with first patch (version 1.0.34 and 1.1.47)
meanwhile Testing of the patch by the reporting researcher (Christian Schneider)
2014-03-20 Reported to vendor that first patch could by bypassed
meanwhile Conversation about fix strategies between vendor and reporting researcher
2014-03-26 Reply from vendor with updated patch (version 1.0.36 and 1.1.49)
meanwhile Verification of the patch by reporting researcher + vendor informed customers
2014-06-01 Advisory published in coordination with vendor via BugTraq

References

http://www.christian-schneider.net/advisories/CVE-2014-2233.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAlOLV74ACgkQXYAsOfddvFPrWgCgjqejfrV/Ro2b8aC4RQ+UHdGG
AoEAmgN82HZQgDspcd25PJxSBxXWalBw
=nu9C
-----END PGP SIGNATURE-----

Related

securityvulns 2
cve 2
prion 2
securityvulns
securityvulns
CVE-2014-2232 - "Absolute Path Traversal" (CWE-36) vulnerability in "infoware MapSuite"
2014-06-14 00:00:00
Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
2014-06-14 00:00:00
cve
cve
CVE-2014-2233
2014-12-01 15:59:00
CVE-2014-2232
2014-12-01 15:59:00
prion
prion
Server side request forgery (ssrf)
2014-12-01 15:59:00
Path traversal
2014-12-01 15:59:00
JSON
Related for SECURITYVULNS:DOC:30846
securityvulns2cve2prion2