exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sitepark Information Enterprise Server 2.9 Unauthenticated Access

Sitepark Information Enterprise Server 2.9 Unauthenticated Access
Posted May 1, 2014
Authored by Markus Vervier, Sascha Kettler | Site lsexperts.de

LSE discovered that the installer of the Information Enterprise Server (IES) was available to unauthenticated users over HTTP. When updating from previous versions of IES, an installation form was not disabled after installation. In this case the servlet "/ies/install" was exposed to unauthenticated users. By accessing the servlet at URI "/ies/install/" on an affected IES server, an unauthenticated attacker was able to set a new password for the manager account. Additionally sensitive information regarding the IES installation was displayed.

tags | advisory, web
advisories | CVE-2014-3006
SHA-256 | a3bd5fbb77d7da353b590c6fc5e71a5468197a93c7835a587b10d09fad706a47

Sitepark Information Enterprise Server 2.9 Unauthenticated Access

Change Mirror Download
=== LSE Leading Security Experts GmbH - Security Advisory 2014-04-10 ===

Sitepark Information Enterprise Server (IES) - Unauthenticated Access
---------------------------------------------------------------------

Affected Versions
=================
Information Enterprise Server (IES) Version 2.9 until 2.9.6

Issue Overview
==============
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: Sitepark GmbH
Credits: LSE Leading Security Experts GmbH employees
Markus Vervier and Sascha Kettler
Advisory URL: https://www.lsexperts.de/advisories/lse-2014-04-10.txt
Advisory Status: Public
CVE-Number: CVE-2014-3006

Issue Description
=================
While conducting a penetration test LSE Leading Security Experts GmbH
discovered that the installer of the Information Enterprise Server (IES)
was available to unauthenticated users over HTTP.

When updating from previous versions of IES, an installation form was not
disabled after installation. In this case the servlet "/ies/install" was
exposed to unauthenticated users.

By accessing the servlet at URI "/ies/install/" on an affected IES server,
an unauthenticated attacker was able to set a new password for the manager
account. Additionally sensitive information regarding the IES
installation was displayed.

Temporary Workaround and Fix
============================
LSE Leading Security Experts GmbH advises to prevent access to the
URI "/ies/install/" by configuring web servers or proxy servers accordingly.
For example using the Apache webserver a "Directory" directive would be
needed:

<Location /ies/install>
Order Deny,Allow
Deny from all
Satisfy all
</Location>

A hotfix is available from the vendor via the automatic update functionality
for IES versions 2.9 until 2.9.6.

Impact
======
An attacker is able to learn the license key and sensitive directory names
of the IES. Additionally the password for the account "manager" can be
reset which grants full access rights with the management role.

According to the vendor this issue affects only installations that are
updated from previous versions of IES to versions 2.9 until 2.9.6.

History
=======
2014-04-02 Issue discovered
2014-04-03 Vendor informed by customer, Vendor released hotfix and
updated managed installations
2014-04-16 Permission of customer for advisory
2014-04-16 Direct vendor contact
2014-04-22 Vendor reply
2014-04-27 CVE assigned
2014-04-30 Advisory publicly released


--
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel: +49 6151 86086-0, Fax: -299
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschaeftsfuehrer: Oliver Michel, Sven Walther

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close