Censorship Professional 4 2.1.7 XSS / SQL Injection

2013-04-04T00:00:00
ID PACKETSTORM:121079
Type packetstorm
Reporter M. Heinzl
Modified 2013-04-04T00:00:00

Description

                                        
                                            `SEC Consult Vulnerability Lab Security Advisory < 20130404-0 >  
=======================================================================  
title: Multiple Vulnerabilities  
product: Censornet Professional v4 (2.1.7)  
vulnerable version: 2.1.7  
fixed version:  
impact: high  
homepage: http://www.censornet.com/  
found: 2013-02-06  
by: M. Heinzl  
SEC Consult Vulnerability Lab  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
CensorNet Ltd is an established player in the Internet Security market with a  
focus on web content and e-mail content management.  
  
With a broad portfolio of products to suit customers, channel partners and  
service providers, CensorNet strives to provide flexible and feature-packed  
products that are affordable to all types of organization. CensorNet products  
allow stakeholders to quickly and easily implement an Acceptable Usage Policy  
for Internet access, helping them to improve productivity, increase security,  
comply with regulations and reduce administrative burden. CensorNet Ltd is  
headquartered in the United Kingdom and sells globally via an established  
channel partner network.  
  
Source: http://www.censornet.com/en/about  
  
  
Vulnerability overview/description:  
-----------------------------------  
Censornet Professional v4 suffers from multiple Cross-Site Scripting and SQL  
Injection vulnerabilities which can be exploited by an authenticated attacker.  
  
  
Proof of concepts:  
-----------------  
Detailed proof of concept URLs and exploits have been removed from this  
advisory as no vendor patch is available.  
  
  
1) Reflective Cross-Site Scripting Vulnerability  
  
When doing a "Site Lookup" through "Filters > Content classified (Site  
Lookup)", JavaScript code can be inserted into the parameter "lookup_url":  
  
[...]  
  
2) Multiple Stored Cross-Site Scripting Vulnerabilities  
  
Multiple parameters of the Censornet Professional v4 appliaction are prone to  
stored Cross-Site Scripting attacks. Amongst others, the configuration of the  
"Parent Proxy Settings" ("System > Configuration > Parent Proxy Settings"),  
contain many vulnerable parameters:  
- parentproxyaddress  
- parentproxyport  
- parentproxyusername  
- parentproxypassword  
- parentproxyaddressssl  
- parentproxyportssl  
- parentproxyusernamessl  
- parentproxypasswordssl  
  
Request:  
  
[...]  
  
The sample applies to the parameters of "System Alerts" ("Configuration >  
System Alerts"):  
- load  
- ram  
- disk  
  
Request:  
  
[...]  
  
3) Multiple SQL Injection Vulnerabilities  
  
Multiple SQL injection vulnerabilities exist within the Censornet Professional  
v4 product. Malicious authenticated users can exploit these flaws to  
manipulate the queries sent to the PostgreSQL database.  
  
When creating a new report ("Reports > New Custom Report"), the following  
parameters are vulnerable:  
- report_items  
- report_name  
- date_range  
- username_comparison  
- username_specificvalue  
- usergroups_comparison  
- usergroups_specificvalue  
- workstation_comparison  
- workstation_specificvalue  
- workstationgroups_comparison  
- workstationgroups_specificvalue  
- url_comparison  
- url_specificvalue  
- policy_comparison  
- policy_specificvalue  
- ...  
  
"Reports > View Custom Report":  
- predicate  
- report_name  
- table  
- ...  
  
"Reports > Manage Custom Reports":  
- filter  
- ...  
  
"Filters > Custom URL Module > Categories":  
- newcategory  
- ...  
  
"Policies > New Policy":  
- policy_name  
- policy_description  
- colorpicker  
- access_level  
- conflicts  
- block_nocat  
- time_quota  
- ...  
  
"Objects > New User":  
- id  
- ...  
  
"Objects > New Computer":  
- new_workstation_name  
- new_workstation_addr  
- group  
- ...  
  
"Objects > New Administrator":  
- module_items  
- new_user_name  
- ...  
  
"Objects > New Manager":  
- group_items  
- new_manager_email  
- new_manager_period  
- ...  
  
  
Vulnerable / tested versions:  
-----------------------------  
Censornet Professional v4 (2.1.7)  
  
  
Vendor contact timeline:  
------------------------  
2013-02-12: Contacting vendor through info@censornet.com  
2013-02-20: Contacting vendor again through info@censornet.com,  
sales@censornet.com, support@censornet.com and support formular  
(http://www.censornet.com/en/support/ticket) since no reply was  
received so far  
2013-02-27: Informing vendor about the release of the advisory on 2013-04-03.  
2013-04-04: No further response from vendor. Advisory published according to  
the SEC Consult's responsible disclosure policy.  
  
  
Solution:  
---------  
None  
  
  
Workaround:  
-----------  
Restrict access to trusted users only.  
  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Unternehmensberatung GmbH  
  
Office Vienna  
Mooslackengasse 17  
A-1190 Vienna  
Austria  
  
Tel.: +43 / 1 / 890 30 43 - 0  
Fax.: +43 / 1 / 890 30 43 - 25  
Mail: research at sec-consult dot com  
https://www.sec-consult.com  
  
EOF M. Heinzl / @2013  
  
  
`