accept no compromises

Censorship Professional 4 2.1.7 XSS / SQL Injection

Censorship Professional 4 2.1.7 XSS / SQL Injection
Posted Apr 4, 2013
Authored by M. Heinzl | Site sec-consult.com

Censorship Professional version 4 2.1.7 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | a2aeaba50845a81ec03aa42e6776be54

Censorship Professional 4 2.1.7 XSS / SQL Injection

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20130404-0 >
=======================================================================
title: Multiple Vulnerabilities
product: Censornet Professional v4 (2.1.7)
vulnerable version: 2.1.7
fixed version:
impact: high
homepage: http://www.censornet.com/
found: 2013-02-06
by: M. Heinzl
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
CensorNet Ltd is an established player in the Internet Security market with a
focus on web content and e-mail content management.

With a broad portfolio of products to suit customers, channel partners and
service providers, CensorNet strives to provide flexible and feature-packed
products that are affordable to all types of organization. CensorNet products
allow stakeholders to quickly and easily implement an Acceptable Usage Policy
for Internet access, helping them to improve productivity, increase security,
comply with regulations and reduce administrative burden. CensorNet Ltd is
headquartered in the United Kingdom and sells globally via an established
channel partner network.

Source: http://www.censornet.com/en/about


Vulnerability overview/description:
-----------------------------------
Censornet Professional v4 suffers from multiple Cross-Site Scripting and SQL
Injection vulnerabilities which can be exploited by an authenticated attacker.


Proof of concepts:
-----------------
Detailed proof of concept URLs and exploits have been removed from this
advisory as no vendor patch is available.


1) Reflective Cross-Site Scripting Vulnerability

When doing a "Site Lookup" through "Filters > Content classified (Site
Lookup)", JavaScript code can be inserted into the parameter "lookup_url":

[...]

2) Multiple Stored Cross-Site Scripting Vulnerabilities

Multiple parameters of the Censornet Professional v4 appliaction are prone to
stored Cross-Site Scripting attacks. Amongst others, the configuration of the
"Parent Proxy Settings" ("System > Configuration > Parent Proxy Settings"),
contain many vulnerable parameters:
- parentproxyaddress
- parentproxyport
- parentproxyusername
- parentproxypassword
- parentproxyaddressssl
- parentproxyportssl
- parentproxyusernamessl
- parentproxypasswordssl

Request:

[...]

The sample applies to the parameters of "System Alerts" ("Configuration >
System Alerts"):
- load
- ram
- disk

Request:

[...]

3) Multiple SQL Injection Vulnerabilities

Multiple SQL injection vulnerabilities exist within the Censornet Professional
v4 product. Malicious authenticated users can exploit these flaws to
manipulate the queries sent to the PostgreSQL database.

When creating a new report ("Reports > New Custom Report"), the following
parameters are vulnerable:
- report_items
- report_name
- date_range
- username_comparison
- username_specificvalue
- usergroups_comparison
- usergroups_specificvalue
- workstation_comparison
- workstation_specificvalue
- workstationgroups_comparison
- workstationgroups_specificvalue
- url_comparison
- url_specificvalue
- policy_comparison
- policy_specificvalue
- ...

"Reports > View Custom Report":
- predicate
- report_name
- table
- ...

"Reports > Manage Custom Reports":
- filter
- ...

"Filters > Custom URL Module > Categories":
- newcategory
- ...

"Policies > New Policy":
- policy_name
- policy_description
- colorpicker
- access_level
- conflicts
- block_nocat
- time_quota
- ...

"Objects > New User":
- id
- ...

"Objects > New Computer":
- new_workstation_name
- new_workstation_addr
- group
- ...

"Objects > New Administrator":
- module_items
- new_user_name
- ...

"Objects > New Manager":
- group_items
- new_manager_email
- new_manager_period
- ...


Vulnerable / tested versions:
-----------------------------
Censornet Professional v4 (2.1.7)


Vendor contact timeline:
------------------------
2013-02-12: Contacting vendor through info@censornet.com
2013-02-20: Contacting vendor again through info@censornet.com,
sales@censornet.com, support@censornet.com and support formular
(http://www.censornet.com/en/support/ticket) since no reply was
received so far
2013-02-27: Informing vendor about the release of the advisory on 2013-04-03.
2013-04-04: No further response from vendor. Advisory published according to
the SEC Consult's responsible disclosure policy.


Solution:
---------
None


Workaround:
-----------
Restrict access to trusted users only.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF M. Heinzl / @2013


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close