Vulnerabilities in ProcessMaker, WebFOCUS, and OpenFire Identified and Patched

ID TALOSBLOG:DF9A2CC9772323EC07539E516C6A5686
Type talosblog
Reporter (Alexander Chiu)
Modified 2017-07-19T16:13:58


Today, Talos is disclosing several vulnerabilities that have been identified by Portcullis in various software products. All four vulnerabilities have been responsibly disclosed to each respective developer in order ensure they are addressed. In order better protect our customers, Talos has also developed Snort rules that detect attempts to exploit these vulnerabilities. <br /><br /><h2 id="h.l862uujwcanq">Vulnerability Details</h2><h3 id="h.mo0h2wj54m95">TALOS-2017-0313 (CVE-2016-9048) ProcessMaker Enterprise Core Multiple SQL Injection Vulnerabilities</h3>TALOS-2017-0313 was identified by Jerzy Kramarz of Portcullis.<br /><br /><a href="">TALOS-2017-0313</a> encompasses multiple SQL injection vulnerabilities in <a href="">ProcessMarker</a> Enterprise Core These vulnerabilities manifest as a result of improperly sanitizing input received in web requests. An attacker who transmits a specifically crafted web request to an affected server with parameters containing SQL injection attacks could trigger this vulnerability. This could allow exfiltration of the database information, user credentials, and in certain configuration access the underlying operating system.<br /><a name='more'></a><br /><br /><h3 id="h.u2zfk514bpmv">TALOS-2017-0314 (CVE-2016-9045) - ProcessMaker Enterprise Core Code Execution Vulnerability</h3>TALOS-2017-0314 was identified by Jerzy Kramarz of Portcullis.<br /><br /><a href="">TALOS-2017-0314</a> is a remote code execution vulnerability in <a href="">ProcessMarker</a> Enterprise Core A specially crafted web request can cause unsafe deserialization, potentially resulting in arbitrary PHP code execution. Exploitation of this vulnerability could be achieved if an attacker transmits a specifically crafted web parameter to an affected server, triggering this vulnerability. <br /><br /><h3 id="h.8z71vplucaez">TALOS-2017-0315 (CVE-2016-9044) - Information Builders WebFOCUS Business Intelligence Portal Command Execution Vulnerability</h3>TALOS-2017-0315 was identified by Alfonso Alguacil and Georgios Papakyriakopoulos of Portcullis.<br /><br /><a href="">TALOS-2017-0315</a> is an arbitrary command execution vulnerability in Information Builders <a href="">WebFOCUS</a> Business Intelligence Portal 8.1. This vulnerability manifests due to improperly sanitizing and handling input received via a web request. TALOS-2017-0315 is exploitable if an attacker transmits a specifically crafted web request to an affected server while logged into the application, triggering this vulnerability. Unauthenticated users are not able to exploit this vulnerability.<br /><br /><h3 id="h.vogqph7weklf">TALOS-2017-0316 (CVE-2017-2815) - XML External Entity Injection In Open Fire User Import Export Plugin</h3>TALOS-2017-0316 was identified by Jerzy Kramarz, Michail Sarantidis, Rafael Gil Larios, Giovani Cattani, and Anton Garcia of Portcullis.<br /><br /><a href="">TALOS-2017-0316</a> is a XML External Entity injection attack in the <a href="">OpenFire</a> User Import Export Plugin. TALOS-2017-0316 manifests due to improperly handling unsanitized user input. Exploitation of this vulnerability could allow an attacker to retrieve arbitrary files or create a denial of service condition (by making the server read from a file such as '/dev/random'). Attackers could also reference URLs, potentially allowing port scanning from the XML parser's host, or the retrieve sensitive web content that would otherwise be inaccessible.<br /><br /><h2 id="h.buhka1mosi6o">Coverage</h2>Talos has developed the following Snort rules detect attempts to exploit these vulnerabilities. Note that these rules are subject to change pending additional vulnerability information. For the most current information, please visit your Firepower Management Center or<br /><br />Snort Rules: <br /><ul><li>42244-42252</li><li>42290</li></ul><br />For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal: <a href=""></a><br /><br />To review our Vulnerability Disclosure Policy, please visit this site:<br /><br /><a href=""></a><br /><br /><div class="feedflare"> <a href=""><img src="" border="0"></img></a> </div><img src="" height="1" width="1" alt=""/>