Multiple Vulnerabilities in Censornet Professional v4

SEC Consult Vulnerability Lab Security Advisory < 20130404-0 >

=======================================================================

title: Multiple Vulnerabilities

product: Censornet Professional v4 (2.1.7)

vulnerable version: 2.1.7

fixed version: CVE-2013-2771, CVE-2013-2772

impact: high

homepage: www.censornet.com

found: 2013-02-06

by: M. Heinzl

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

CensorNet Ltd is an established player in the Internet Security market with a

focus on web content and e-mail content management.

 

With a broad portfolio of products to suit customers, channel partners and

service providers, CensorNet strives to provide flexible and feature-packed

products that are affordable to all types of organisation. CensorNet products

allow stakeholders to quickly and easily implement an Acceptable Usage Policy

for Internet access, helping them to improve productivity, increase security,

comply with regulations and reduce administrative burden. CensorNet Ltd is

headquartered in the United Kingdom and sells globally via an established

channel partner network.

 

Source: www.censornet.com/en/about

 

 

Vulnerability overview/description:

-----------------------------------

Censornet Professional v4 suffers from multiple Cross-Site Scripting and SQL

Injection vulnerabilities which can be exploited by an authenticated attacker.

 

 

Proof of concepts:

-----------------

Detailed proof of concept URLs and exploits have been removed from this

advisory as no vendor patch is available.

 

 

1) Reflective Cross-Site Scripting Vulnerability (CVE-2013-2772)

 

When doing a "Site Lookup" through "Filters > Content classified (Site

Lookup)", JavaScript code can be inserted into the parameter "lookup_url":

 

[...]

 

2) Multiple Stored Cross-Site Scripting Vulnerabilities (CVE-2013-2772)

 

Multiple parameters of the Censornet Professional v4 appliaction are prone to

stored Cross-Site Scripting attacks. Amongst others, the configuration of the

"Parent Proxy Settings" ("System > Configuration > Parent Proxy Settings"),

contain many vulnerable parameters:

- parentproxyaddress
- parentproxyport
- parentproxyusername
- parentproxypassword
- parentproxyaddressssl
- parentproxyportssl
- parentproxyusernamessl
- parentproxypasswordssl

Request:

[...]

The sample applies to the parameters of "System Alerts" ("Configuration > 
System Alerts"):
- load
- ram
- disk

Request:

[...]

 

3) Multiple SQL Injection Vulnerabilities (CVE-2013-2771)

 

Multiple SQL injection vulnerabilities exist within the Censornet Professional

v4 product. Malicious, authenticated users can exploit these flaws to

manipulate the queries sent to the PostgreSQL database.

 

When creating a new report ("Reports > New Custom Report"), the following

parameters are vulnerable:

- report_items
- report_name
- date_range
- username_comparison
- username_specificvalue
- usergroups_comparison
- usergroups_specificvalue
- workstation_comparison
- workstation_specificvalue
- workstationgroups_comparison
- workstationgroups_specificvalue
- url_comparison
- url_specificvalue
- policy_comparison
- policy_specificvalue
- ...

"Reports > View Custom Report":
- predicate
- report_name
- table
- ...

"Reports > Manage Custom Reports":
- filter
- ...

"Filters > Custom URL Module > Categories":
- newcategory
- ...

"Policies > New Policy":
- policy_name
- policy_description
- colorpicker
- access_level
- conflicts
- block_nocat
- time_quota
- ...

"Objects > New User":
- id
- ...

"Objects > New Computer":
- new_workstation_name
- new_workstation_addr
- group
- ...

"Objects > New Administrator":
- module_items
- new_user_name
- ...

"Objects > New Manager":
- group_items
- new_manager_email
- new_manager_period
- ...

 

 

Vulnerable / tested versions:

-----------------------------

Censornet Professional v4 (2.1.7)

 

 

Vendor contact timeline:

------------------------

2013-02-12: Contacting vendor through info@censornet.com

2013-02-20: Contacting vendor again through info@censornet.com,

sales@censornet.com, support@censornet.com and support formular

(http://www.censornet.com/en/support/ticket) since no reply was

received so far

2013-02-27: Informing vendor about the release of the advisory on 2013-04-03.

2013-04-04: No further response from vendor. Advisory published according to

the SEC Consult's responsible disclosure policy.

 

 

Solution:

---------

None

 

 

Workaround:

-----------

Restrict access to trusted users only.

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF M. Heinzl / @2013