=== LSE Leading Security Experts GmbH - Security Advisory 2014-04-10 === Sitepark Information Enterprise Server (IES) - Unauthenticated Access --------------------------------------------------------------------- Affected Versions ================= Information Enterprise Server (IES) Version 2.9 until 2.9.6 Issue Overview ============== Technical Risk: high Likelihood of Exploitation: medium Vendor: Sitepark GmbH Credits: LSE Leading Security Experts GmbH employees Markus Vervier and Sascha Kettler Advisory URL: https://www.lsexperts.de/advisories/lse-2014-04-10.txt Advisory Status: Public CVE-Number: CVE-2014-3006 Issue Description ================= While conducting a penetration test LSE Leading Security Experts GmbH discovered that the installer of the Information Enterprise Server (IES) was available to unauthenticated users over HTTP. When updating from previous versions of IES, an installation form was not disabled after installation. In this case the servlet "/ies/install" was exposed to unauthenticated users. By accessing the servlet at URI "/ies/install/" on an affected IES server, an unauthenticated attacker was able to set a new password for the manager account. Additionally sensitive information regarding the IES installation was displayed. Temporary Workaround and Fix ============================ LSE Leading Security Experts GmbH advises to prevent access to the URI "/ies/install/" by configuring web servers or proxy servers accordingly. For example using the Apache webserver a "Directory" directive would be needed: Order Deny,Allow Deny from all Satisfy all A hotfix is available from the vendor via the automatic update functionality for IES versions 2.9 until 2.9.6. Impact ====== An attacker is able to learn the license key and sensitive directory names of the IES. Additionally the password for the account "manager" can be reset which grants full access rights with the management role. According to the vendor this issue affects only installations that are updated from previous versions of IES to versions 2.9 until 2.9.6. History ======= 2014-04-02 Issue discovered 2014-04-03 Vendor informed by customer, Vendor released hotfix and updated managed installations 2014-04-16 Permission of customer for advisory 2014-04-16 Direct vendor contact 2014-04-22 Vendor reply 2014-04-27 CVE assigned 2014-04-30 Advisory publicly released -- http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel: +49 6151 86086-0, Fax: -299 Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschaeftsfuehrer: Oliver Michel, Sven Walther