Web application abuses : VDG Security Sense <= 2.3.13 Multiple Vulnerabilities

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.805033

Categoría: Web application abuses

Título: VDG Security Sense <= 2.3.13 Multiple Vulnerabilities - Active Check

Resumen: VDG Security Sense is prone to multiple vulnerabilities.

Descripción: Summary:
VDG Security Sense is prone to multiple vulnerabilities.

Vulnerability Insight:
The following vulnerabilities exist:

- An input is not properly sanitized when handling HTTP authorization headers.

- The program transmitting configuration information in cleartext.

- The 'root' account has a password of 'ArpaRomaWi', the 'postgres' account has a password of
'!DVService', and the 'NTP' account has a password of '!DVService', these accounts are publicly
known and documented.

- The program returning the contents of the users.ini file in authentication responses.

- The user-supplied input is not properly validated when passed via the username or password in
AuthenticateUser requests.

- The program not properly sanitizing user input, specifically path traversal style attacks
(e.g. '../') in a URI.

Vulnerability Impact:
Successful exploitation will allow attacker to read arbitrary
files, bypass authentication mechanisms and cause a stack-based buffer overflow, resulting in a
denial of service or potentially allowing the execution of arbitrary code.

Affected Software/OS:
VDG Security SENSE (formerly DIVA) 2.3.13 and probably prior.

Solution:
No known solution was made available for at least one year
since the disclosure of this vulnerability. Likely none will be provided anymore. General
solution options are to upgrade to a newer release, disable respective features, remove the
product or replace the product by another one.

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-9451
BugTraq ID: 71736
http://www.securityfocus.com/bid/71736
http://seclists.org/fulldisclosure/2014/Dec/76
http://packetstormsecurity.com/files/129656/VDG-Security-SENSE-2.3.13-File-Disclosure-Bypass-Buffer-Overflow.html
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-0_VDG_Security_SENSE_Multiple_critical_vulnerabilities_v10.txt
XForce ISS Database: sense-authenticateuser-bo(99334)
https://exchange.xforce.ibmcloud.com/vulnerabilities/99334
Common Vulnerability Exposure (CVE) ID: CVE-2014-9452
XForce ISS Database: sense-multiple-dir-traversal(99331)
https://exchange.xforce.ibmcloud.com/vulnerabilities/99331

Copyright Copyright (C) 2015 Greenbone AG

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.805033
Categoría:	Web application abuses
Título:	VDG Security Sense <= 2.3.13 Multiple Vulnerabilities - Active Check
Resumen:	VDG Security Sense is prone to multiple vulnerabilities.
Descripción:	Summary: VDG Security Sense is prone to multiple vulnerabilities. Vulnerability Insight: The following vulnerabilities exist: - An input is not properly sanitized when handling HTTP authorization headers. - The program transmitting configuration information in cleartext. - The 'root' account has a password of 'ArpaRomaWi', the 'postgres' account has a password of '!DVService', and the 'NTP' account has a password of '!DVService', these accounts are publicly known and documented. - The program returning the contents of the users.ini file in authentication responses. - The user-supplied input is not properly validated when passed via the username or password in AuthenticateUser requests. - The program not properly sanitizing user input, specifically path traversal style attacks (e.g. '../') in a URI. Vulnerability Impact: Successful exploitation will allow attacker to read arbitrary files, bypass authentication mechanisms and cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. Affected Software/OS: VDG Security SENSE (formerly DIVA) 2.3.13 and probably prior. Solution: No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one. CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-9451 BugTraq ID: 71736 http://www.securityfocus.com/bid/71736 http://seclists.org/fulldisclosure/2014/Dec/76 http://packetstormsecurity.com/files/129656/VDG-Security-SENSE-2.3.13-File-Disclosure-Bypass-Buffer-Overflow.html https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20141218-0_VDG_Security_SENSE_Multiple_critical_vulnerabilities_v10.txt XForce ISS Database: sense-authenticateuser-bo(99334) https://exchange.xforce.ibmcloud.com/vulnerabilities/99334 Common Vulnerability Exposure (CVE) ID: CVE-2014-9452 XForce ISS Database: sense-multiple-dir-traversal(99331) https://exchange.xforce.ibmcloud.com/vulnerabilities/99331
Copyright	Copyright (C) 2015 Greenbone AG