Using XSS to switch off dotDefender 4.0

Tuesday

Jun012010

Tuesday, June 1, 2010 at 12:10PM

AppliCure's dotDefender version 4.0 had a security flaw in the log viewing feature of the administrative interface. We just published an advisory for this vulnerability. Here's the interesting part:

"The log viewer facility in dotDefender does not properly htmlencode user supplied input. This leads to a cross site scripting vulnerability when the log viewer displays HTTP headers."

The following video shows how an attacker can make use of cross site scripting to get the system administrator to automatically switch off dotDefender. This effectively disables the WAF, leaving the web application exposed to any attacks that said WAF was supposed to protect against.

Advisory: ES-20100601

Video demo: http://vimeo.com/12132622

FAQ

But doesn't the attacker need to reach the administrator interface?

Nope - its the administrator's authenticated web browser that disables the WAF due to the injected javascript. Therefore the attacker just needs to reach the website protected by the WAF.

Sandro Gauci |

1 Comment |

3 References |

Site news

References (3)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Response: Mr.

by tdgyeooj at iullyeph on April 29, 2012

1
Response: Click This Link

at Click This Link on July 28, 2012

Using XSS to switch off dotDefender 4.0 - Blog - EnableSecurity
Response: !S!WCRTESTINPUT000000!E!

by !S!WCRTESTINPUT000005!E! at !S!WCRTESTINPUT000003!E! on March 18, 2013

!S!WCRTESTINPUT000002!E!

Reader Comments (1)

[...] in the log viewer facility of the dotDefender admin interface. Watch the video below for a more in depth explanation of the attack. From the below video one can also learn and understand the importance of having secure web [...]

June 22, 2010 |

web application firewall bypas

EnableSecurity