Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3608
HistoryOct 10, 2002 - 12:00 a.m.

Four Vulnerabilities in SurfControl's SuperScout Email Filter Administrative Server

2002-10-1000:00:00
vulners.com
26
JSON

Please note these vulnerabilities are not the ones mentioned by Matt
Moore last week.

I've been working with SurfControl for a few months now to resolve these
issues in the Administrative Web interface for the SuperScout Email
Filter. (Read: I discovered these vulnerabilities independently, before
Matt Moore's post.)

SurfControl released a fix. Please contact them for it.

Now on with the disclosure.

The four SurfControl vulnerabilities are as follows:
1) a cross-site scripting vulnerability
2) user name and password exposure
3) Content-Length GET Denial of Service
4) Incomplete GET Request Denial of Service

The executable effected is STEMWADM.

1) Cross-Site Scripting Issue
As Matt Moore explained, the product does not filter user input. The
user does not need to be authenticated to have the following executed
against their browser.

Normal Error:
http://<IPAddress>/web/msgError.asp?Redirect=login.htm&Reason=Invalid+username+or+password!
XSS Example:
http://<IPAddress>/web/msgError.asp?Redirect=loginhtm&Reason=<script>alert(document.cookie);</script>

2) Data Integrity Problem

Any user with access to the URL below will receive the user names and
passwords (in plain text) of every user in the SurfControl
Administrative server.

URL: http://<IP Address>/web/usermgr/userlist.asp

Sample HTML output:

<tr BGCOLOR=#EEEEEE><td><a
href='actions/edituser.asp?User=ken&Password=ken&Enabled=Enabled&[email protected]'
title='Edit user' onMouseOver="window.status='Edit ken';return true;"
onMouseOut="window.status=' ';return true;">ken</a></td><td><b>Enabled</b></td></tr><tr
BGCOLOR=#DDDDDD><td><a
href='actions/edituser.asp?User=test&Password=test&Enabled=Enabled&[email protected]'
title='Edit user' onMouseOver="window.status='Edit test';return true;"
onMouseOut="window.status=' ';return true;">test</a></td><td><b>Enabled</b></td></tr>

3) Denial of Service via missing Content-Length Parameter

If one requests a web page and does not supply a content-length value
the server crashes and must be restarted.

4) Denial of Service via an incomplete GET request

If a GET request is made but does not finish (\r\n\r\n), the server will
continue to wait for the closing characters. As a result no one else may
request a web page, in effect denying service to other administrators.

'ken'@FTU

==================================
'ken'@FTU
http://www.ftusecurity.com
…serving straight HTML since '02

JSON