Infoware MapSuite Server-Side Request Forgery

2014.06.04
Credit: Christian
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2014-2233 | CVE-2014-2232
CWE: CWE-918

CVE-2014-2233 =================== "Server-Side Request Forgery" (CWE-918) vulnerability in "infoware MapSuite" Vendor =================== infoware GmbH Product =================== MapSuite Affected versions =================== This vulnerability affects versions of MapSuite MapAPI prior to 1.0.36 and 1.1.49 Fixed versions =================== MapSuite MapAPI 1.0.36 and 1.1.49 Both patches are available since 2014-03-26. Reported by =================== This issue was reported to the vendor by Christian Schneider (@cschneider4711) following a responsible disclosure process. Severity =================== Medium Exploitability =================== No authentication required Description =================== Using a specially crafted URL to access the MapAPI it is possible to issue HTTP(S) GET requests originating from the attacked server (behind the firewall) and to read the response. This enables attackers to access web servers that are not exposed to be accessed from the internet and thus allows to pivot further into the targeted network. Proof of concept =================== Due to the responsible disclosure process chosen and to not harm unpatched systems, no concrete exploit code will be presented in this advisory. Migration =================== MapSuite MapAPI 1.0.x users should upgrade to 1.0.36 or later as soon as possible. MapSuite MapAPI 1.1.x users should upgrade to 1.1.49 or later as soon as possible. See also =================== CVE-2014-2232 as another vulnerability in the same module, which can be exploited as an Absolute Path Traversal via the same input parameter. Timeline =================== 2014-02-20 Vulnerability discovered 2014-02-20 Vulnerability responsibly reported to vendor 2014-02-21 Reply from vendor acknowledging report 2014-02-26 Reply from vendor with first patch (version 1.0.34 and 1.1.47) meanwhile Testing of the patch by the reporting researcher (Christian Schneider) 2014-03-20 Reported to vendor that first patch could by bypassed meanwhile Conversation about fix strategies between vendor and reporting researcher 2014-03-26 Reply from vendor with updated patch (version 1.0.36 and 1.1.49) meanwhile Verification of the patch by reporting researcher + vendor informed customers 2014-06-01 Advisory published in coordination with vendor via BugTraq References =================== http://www.christian-schneider.net/advisories/CVE-2014-2233.txt

References:

http://www.christian-schneider.net/advisories/CVE-2014-2233.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top