{"cve": [{"lastseen": "2018-10-11T11:33:53", "bulletinFamily": "NVD", "description": "Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x before 2.4.4, does not properly implement the \"positive model,\" which allows remote attackers to bypass certain protection mechanisms via a %0A (encoded newline), as demonstrated by a %0A in a cross-site scripting (XSS) attack URL.", "modified": "2018-10-10T15:37:28", "published": "2009-05-21T10:30:00", "id": "CVE-2009-1594", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1594", "title": "CVE-2009-1594", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-11T11:33:53", "bulletinFamily": "NVD", "description": "Armorlogic Profense Web Application Firewall before 2.2.22, and 2.4.x before 2.4.4, does not properly implement the \"negative model,\" which allows remote attackers to conduct cross-site scripting (XSS) attacks via a modified end tag of a SCRIPT element.", "modified": "2018-10-10T15:37:28", "published": "2009-05-21T10:30:00", "id": "CVE-2009-1593", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1593", "title": "CVE-2009-1593", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:30", "bulletinFamily": "software", "description": "____________________________________________________________________________\r\n\r\nArmorlogic Profense Web Application Firewall 2.4 multiple vulnerabilities. \r\n\r\n____________________________________________________________________________\r\n\r\nAn advisory by EnableSecurity. \r\nTrustwave published a joint advisory named TWSL2009-001\r\n\r\nID: ES-20090500\r\n\r\nAdvisory URL: \r\nhttp://resources.enablesecurity.com/advisories/ES-20090500-profense.txt\r\n\r\nAffected Versions: versions prior to 2.4.4 and 2.2.22 \r\n\r\nFixed versions: 2.4.4, 2.2.22 and later\r\n\r\nDescription:\r\n\r\nArmorlogic Profense is a Web Application Firewall and load balancing solution.\r\n\r\nFrom their website (armorlogic.com):\r\n"Protecting and securing websites and web applications can be a complicated business. Profense\r\nweb application firewall simplifies protection with an affordable and easy to use, feature rich,\r\nsolution that gives you full PCI DSS 1.1 and 1.2 section 6.6 compliance."\r\n\r\nCredits:\r\n\r\nThese vulnerabilities were discovered during WAF testing by Sandro Gauci of EnableSecurity and\r\nWendel Guglielmetti Henrique of Trustwave's SpiderLabs.\r\nWe worked with the Armorlogic security team to have these security flaws reported and fixed. \r\nWe would like to publicly thank the Armorlogic team for their prompt response!\r\n\r\n__________________________________________________________________\r\n\r\nTechnical details:\r\n\r\nThe following vulnerabilities were identified:\r\n\r\nMajor issues:\r\n - Whitelist / positive model bypass\r\n - Blacklist / negative model bypass\r\n\r\nOther issues:\r\n - static root password exposes administrative interface\r\n\r\n\r\n----------- Major issues -----------\r\n\r\n::::: Whitelist / positive model bypass :::::\r\n\r\nCVE: CVE-2009-1594\r\n\r\nDescription: \r\nProfense Web Application Firewall configured in positive model can be evaded.\r\n\r\nTechnical details:\r\nProfense Web Application Firewall configured to make use of the strong positive model\r\n(white-list approach) can be evaded to launch various attacks including XSS (Cross-Site\r\nScripting), SQL Injection, remote command execution, and others. \r\n\r\nThe vulnerability can be reproduced by making use of a URL-encoded new line character. The\r\npattern matching in multi line mode matches any non-hostile line and marks the whole request as\r\nlegitimate, thus allowing the request. This results in a bypass in the positive model. An example\r\nis showed below:\r\n\r\nhttp://testcases/phptest/xss.php?var=%3CEvil%20script%20goes%20here%3E=%0AByPass\r\n\r\n\r\n\r\n::::: Blacklist / negative model bypass :::::\r\n\r\nCVE: CVE-2009-1593\r\n\r\nDescription: Profense Web Application Firewall with default configuration in negative model can\r\nbe evaded to inject XSS.\r\n \r\nTechnical Description:\r\n \r\nVersions 2.4 and 2.2 of Profense Web Application Firewall with the default configuration in\r\nnegative model (blacklist approach) can be evaded to inject XSS (Cross-Site Scripting). The\r\nproblem is due to the built-in core rules that can be abused using the flexibility provided by\r\nHTML and JavaScript.\r\n\r\nThe vulnerability can be reproduced by injecting a common XSS attack in a vulnerable application\r\nprotected by Profense Web Application Firewall. Inserting extra characters in the JavaScript\r\nclose tag will bypass the XSS protection mechanisms. An example is shown below:\r\n\r\n http://testcases/phptest/xss.php?var=%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E\r\n\r\n\r\n::::: Static root password exposes administrative interface :::::\r\n\r\nDescription: Profense Web Application Firewall with default configuration has a default password\r\nhash.\r\n\r\nTechnical Description:\r\n \r\nVersions 2.4 and 2.2 of Profense Web Application Firewall with the default configuration the\r\nroot password hash is the same default in all available products. The SSH server is enabled by\r\ndefault on the administrative interface and accepts root authentication using user and password\r\ncredential. The hashing algorithm used is OpenBSD's blowfish password hash which is known to be\r\nstrong. However the existence of a static password means that if this password is leaked in some\r\nway or another, then the attacker potentially has access to all exposed administrative\r\ninterfaces. \r\n\r\n\r\n__________________________________________________________________\r\n\r\nExploit code:\r\nAvailable to organizations by contacting info@enablesecurity.com\r\n\r\nTimeline:\r\n\r\nOct 10, 2008: Initial contact.\r\nOct 10, 2008: Confirmation of the vulnerabilities.\r\nOct 11, 2008: Discussion of possible fixes.\r\nOct 13, 2008: Fix from Armorlogic complete.\r\nOct 14, 2008: Fix issued to customers.\r\nMay 13, 2009: Advisory public release.\r\n\r\nSolution:\r\n\r\nUpgrade to the latest version of Profense:\r\nhttp://www.armorlogic.com/\r\n\r\n\r\n\r\n__________________________________________________________________\r\n\r\nAbout EnableSecurity:\r\n\r\nEnableSecurity is dedicated to providing high quality Information Security Consultancy, Research\r\nand Development. EnableSecurity develops security tools such as VOIPPACK (for Immunity CANVAS)\r\nand SIPVicious. EnableSecurity is focused on analysis of security challenges and providing\r\nsolutions to such threats. EnableSecurity works on developing custom targeted security solutions,\r\nas well as working with existing off the shelf security tools to provide the best results for\r\ntheir customers. More info at enablesecurity.com\r\n\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate at the time of publishing\r\nbased on currently available information. Use of the information constitutes acceptance for use\r\nin an AS IS condition. There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect, or consequential loss or\r\ndamage arising from use of, or reliance on, this information. ", "modified": "2009-05-21T00:00:00", "published": "2009-05-21T00:00:00", "id": "SECURITYVULNS:DOC:21855", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:21855", "title": "Armorlogic Profense Web Application Firewall 2.4 multiple vulnerabilities.", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T18:15:56", "bulletinFamily": "exploit", "description": "Profense 2.2.20/2.4.2 Web Application Firewall Security Bypass Vulnerabilities. CVE-2009-1593. Webapps exploit for php platform", "modified": "2009-05-20T00:00:00", "published": "2009-05-20T00:00:00", "id": "EDB-ID:33002", "href": "https://www.exploit-db.com/exploits/33002/", "type": "exploitdb", "title": "Profense 2.2.20/2.4.2 Web Application Firewall Security Bypass Vulnerabilities", "sourceData": "source: http://www.securityfocus.com/bid/35053/info\r\n\r\nProfense Web Application Firewall is prone to multiple security-bypass vulnerabilities.\r\n\r\nAn attacker can exploit these issues to bypass certain security restrictions and perform various web-application attacks.\r\n\r\nVersions *prior to* the following are vulnerable:\r\n\r\nProfense 2.4.4\r\nProfense 2.2.22 \r\n\r\nhttp://www.example.com/phptest/xss.php?var=%3CEvil%20script%20goes%20here%3E=%0AByPass\r\nhttp://www.example.com/phptest/xss.php?var=%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33002/"}]}