exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Infoware MapSuite Server-Side Request Forgery

Infoware MapSuite Server-Side Request Forgery
Posted Jun 3, 2014
Authored by Christian Schneider | Site christian-schneider.net

Infoware MapSuite MapAPI versions prior to 1.0.36 and 1.1.49 suffer from a server-side request forgery vulnerability.

tags | advisory
advisories | CVE-2014-2233
SHA-256 | f817a9ede9c3d3be1b53a712a7d5ad315b452b0e0d7c0f60418a333f6e823954

Infoware MapSuite Server-Side Request Forgery

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



CVE-2014-2233
===================
"Server-Side Request Forgery" (CWE-918) vulnerability in "infoware MapSuite"


Vendor
===================
infoware GmbH


Product
===================
MapSuite


Affected versions
===================
This vulnerability affects versions of MapSuite MapAPI prior to 1.0.36 and 1.1.49


Fixed versions
===================
MapSuite MapAPI 1.0.36 and 1.1.49
Both patches are available since 2014-03-26.


Reported by
===================
This issue was reported to the vendor by Christian Schneider (@cschneider4711)
following a responsible disclosure process.


Severity
===================
Medium


Exploitability
===================
No authentication required


Description
===================
Using a specially crafted URL to access the MapAPI it is possible to issue
HTTP(S) GET requests originating from the attacked server (behind the firewall)
and to read the response. This enables attackers to access web servers that are not
exposed to be accessed from the internet and thus allows to pivot further into the
targeted network.


Proof of concept
===================
Due to the responsible disclosure process chosen and to not harm unpatched systems,
no concrete exploit code will be presented in this advisory.


Migration
===================
MapSuite MapAPI 1.0.x users should upgrade to 1.0.36 or later as soon as possible.
MapSuite MapAPI 1.1.x users should upgrade to 1.1.49 or later as soon as possible.


See also
===================
CVE-2014-2232 as another vulnerability in the same module, which can be exploited
as an Absolute Path Traversal via the same input parameter.


Timeline
===================
2014-02-20 Vulnerability discovered
2014-02-20 Vulnerability responsibly reported to vendor
2014-02-21 Reply from vendor acknowledging report
2014-02-26 Reply from vendor with first patch (version 1.0.34 and 1.1.47)
meanwhile Testing of the patch by the reporting researcher (Christian Schneider)
2014-03-20 Reported to vendor that first patch could by bypassed
meanwhile Conversation about fix strategies between vendor and reporting researcher
2014-03-26 Reply from vendor with updated patch (version 1.0.36 and 1.1.49)
meanwhile Verification of the patch by reporting researcher + vendor informed customers
2014-06-01 Advisory published in coordination with vendor via BugTraq


References
===================
http://www.christian-schneider.net/advisories/CVE-2014-2233.txt



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAlOLV74ACgkQXYAsOfddvFPrWgCgjqejfrV/Ro2b8aC4RQ+UHdGG
AoEAmgN82HZQgDspcd25PJxSBxXWalBw
=nu9C
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close