-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ************************* Netragard, L.L.C Advisory*************************** The Specialist in Anti-Hacking. [Posting Notice] - ------------------------------------------------------------------------------------------------- If you intend to post this advisory on your web page please create a clickable link back to the original Netragard advisory as the contents of the advisory may be updated. The advisory can be found on the Netragard website at http://www.netragard.com/ For more information about Netragard visit http://www.netragard.com [Advisory Information] - ------------------------------------------------------------------------------------------------- Contact : Adriel T. Desautels Researcher : Kevin Finisterre Advisory ID : NETRAGARD-20070820 Product Name : CAMAS (Content Management System) Product Version : Unknown Vendor Name : Cambium Group, LLC. Type of Vulnerability : Multiple Critical Vulnerabilities Impact : Critical Vendor Notified : 08/22/2007 [Product Description] - ------------------------------------------------------------------------------------------------- "Cambium Group's content management system (CAMAS) give you independence from outdated content and expensive "web masters". Let the user-friendly interface of CAMAS save you time and money with the freedom to manage your entire web channel yourself." Taken From: http://www.cambiumgroup.com/interior.php/pid/3/sid/3 [Technical Summary] - ------------------------------------------------------------------------------------------------- The Cambium Group Content Management System (CAMAS) Failed most Open Web Application Security Project ("OWASP") criterion during testing. Specific areas of vulnerability that were identified are as follows: Note: A reference to each is provided at the following URL: - --> https://www.owasp.org/index.php/Category:Vulnerability <-- [+] Authentication Testing (FAIL) - ------------------------------------------------------------------------------------------------- CAMAS does not transport all authentication credentials over a secure encrypted channel. It is possible to capture users credentials in transit. [+] Code Quality Testing (FAIL) - ------------------------------------------------------------------------------------------------- CAMAS does not follow industry best practices as defined by OWASP. Specifically, CAMAS is missing critical security functionality that leaves CAMAS powered websites open to attack by internet based hackers. [+] Error Handling Testing (FAIL) - ------------------------------------------------------------------------------------------------- CAMAS is missing proper error handling and event logging capabilities as defined by OWASP. This lack of proper error handling and logging results in information leakage that can be used by an attacker to further compromise a CAMAS powered website. [+] Input Validation Testing (FAIL) - ------------------------------------------------------------------------------------------------- CAMAS does not perform proper Input Validation. In some areas CAMAS does not perform any input validation. As a result it is possible to execute arbitrary database commands against databases that support CAMAS powered websites. It is also possible to take control of CAMAS powered websites, databases and web-servers. CAMAS does not use Parameterized Stored Procedures which is the industry standard for defending against SQL Injection. [+] Logging and Auditing Testing (FAIL) - ------------------------------------------------------------------------------------------------- CAMAS is missing Logging and Auditing functionality as defined by OWASP. [+] Password Management (FAIL) - ------------------------------------------------------------------------------------------------- CAMAS does not perform proper password storage and management. CAMAS does not properly support password aging, strong password enforcement, or strong password cryptographic protection. During testing Netragard was able to crack 98% of the passwords that were stored by CAMAS. [+] Sensitive Data Protection Testing (FAIL) - ------------------------------------------------------------------------------------------------- CAMAS does not provide sufficient levels of Data Protection for businesses whose users use CAMAS powered websites to access sensitive information or to login to third party websites through login forms hosted on CAMAS powered websites. [Impact] - ------------------------------------------------------------------------------------------------- [Impact varies from installation to installation] - - Theft of customer data - - Hijack online banking portal - - Hijack online banking portal links - - Capture data entered into forms - - Dump database contents - - Alter database contents - - Gain access to server running CAMAS - - Phish using XSS - - Include files from remote locations - - Include files from the file system - - Information Disclosure - - Website Defacement - - etc. [Proof Of Concept] - ------------------------------------------------------------------------------------------------- Proof of concept code exists but is not provided as to not increase CAMAS users overall risk levels. Any website that reads "Powered by the Cambium Group, LLC." is a CAMAS powered website. [Vendor Status and Chronology] - ------------------------------------------------------------------------------------------------- 08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered 08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full detail 08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to Notification 08/27/2007 10:31:30 AM EDT - Conference Call Scheduled 08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution 08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded 09/26/2008 11:17:35 PM EDT - Issues remain unfixed 02/09/2009 09:00:00 PM EDT - Issues remain unfixed 02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No affiliation to Netragard) 02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for Release [Solution] - ------------------------------------------------------------------------------------------------- Netragard strongly recommends that the Cambium Group, LLC. modify CAMAS to meet OWASP criterion as defined by the OWASP Testing Guide version 3. CAMAS users can partially or entirely protect themselves by installing a reverse application proxy such as BlueCoat(tm) or ModSecurity2. Other Content Management Systems that meet industry best practices with respect to security might also be considered. [Disclaimer] - ------------------------------------------------------------------------------------------------- Netragard, L.L.C. assumes no liability for the use of the information provided in this advisory. This advisory was released in an effort to help the I.T. community protect themselves against a potentially dangerous security hole. This advisory is not an attempt to solicit business. This advisory is also published at: http://www.netragard.com -- and -- http://snosoft.blogspot.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkmkX9AACgkQ4fEyMUBMiWwYVwCfaQaeow9HNgzLeTrhxHLh5yfb 4RIAoM6So8KLOaKrvPOqHcXIhD/RFLSJ =dhuu -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/