Security Advisory --------------------------------------- Vulnerable Software: radware AppWall Web Application Firewall Vulnerable Version: Gateway Version 4.6.0.2 / AppWall Version 1.0.2.6 Homepage: http://www.radware.com/ Found by: Michael Kirchner, Wolfgang Neudorfer, Lukas Nothdurfter (Team h4ck!nb3rg) Impact: Source code disclosure on management interface Product Description --------------------------------------- Radware's AppWall is a Web application firewall (WAF) appliance that secures Web applications. It enables PCI compliance by mitigating Web application security threats and vulnerabilities to prevent data theft and manipulation of sensitive corporate and customer information. AppWall incorporates advanced, patent-protected Web application security filtering technologies to seamlessly detect threats, block attacks and report events. [Source: http://www.radware.com/Products/ApplicationDelivery/AppWall/default.aspx ] Vulnerability Description --------------------------------------- The radware AppWall Web Application Firewall operates as a reverse proxy between the clients and the web server to be protected. All HTTP requests are checked before being forwarded to the web server. The system can be administered via a seperate management interface which is normally not accessible for external users. The web interface is realised using the PHP programming language. Some of the functionality is stored in include files and embedded when needed. The files have a *.inc extension and are not interpreted by the web server. A user/attacker with access to the web management interface can therefore access parts of the product source code by requesting the included files directly. Proof of Conept --------------------------------------- The following example requests reveal product source code enabling an attacker to search for further implementation vulnerabilities: https://appwall/Management/funcs.inc https://appwall/Management/defines.inc https://appwall/Management/msg.inc Vulnerable Versions --------------------------------------- The tested version was Gateway Version 4.6.0.2 / AppWall Version 1.0.2.6. Prior versions are also likely to be vulnerable. Patch --------------------------------------- Currently we are not aware of any patch or update available. Contact Timeline --------------------------------------- 2009-06-01: Vendor informed 2009-06-15: No response yet. Vendor contacted again. 2009-06-15: Initial vendor reply (Support ticket opened) 2009-07-01: No response yet as far as the vulnerability is concerned. Public release Further information --------------------------------------- Information about the web application firewall project this advisory originates from can be found at: http://www.h4ck1nb3rg.at/wafs/