Vendor/product description: --------------------------- dotDefender is a web application security solution (a Web Application Firewall, or WAF) that offers strong, proactive security for your websites and web applications. URL: http://www.applicure.com/Products/dotdefender Vulnerability overview/description: ----------------------------------- dotDefender displays an error page when blocking an attack. The error page is generated from a template which can contain various template variables. These variables are expanded into a buffer first, the result of which is then passed to AP_PRINTF() without checking for format string identifiers. Any remaining format strings are interpreted by AP_PRINTF(), allowing for a format string injection attack. This is immediately exploitable by an unauthenticated attacker if the <%IP%> template tag is used in the error page (not the case in the default template). In this case an attacker can inject format strings in the "Host"-header. Other attack vectors may exist if the attacker manages to access the dotDefender web interface which requires a password. Successful exploitation allows an attacker to execute arbitrary code on the server. Proof of concept: ----------------- No proof-of-concept exploit will be released. Vulnerable / tested versions: ----------------------------- The vulnerability has been tested with dotDefender 4.26 for Linux/Apache. dotDefender for Windows is not affected. Vendor contact timeline: ------------------------ 2012-10-17: Contacted vendor 2012-11: Fixed version is released 2012-11-15: SEC Consult releases security advisory Solution: --------- Upgrade to at least version 5.00 of dotDefender for Linux: http://www.applicure.com/download-latest Advisory URL: -------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~ The SEC Consult Group