An advisory by EnableSecurity.
- ID: ES-20100601
- Affected Versions: version 4.0
- Fixed versions: 4.01-3 and later
- Enable Security Advisory: https://www.enablesecurity.com/advisories/ES2010-01-applicure-dotDefender-stored-xss/
Description
Applicure dotDefender is a Web Application Firewall that can be installed on Windows and Linux servers.
From their website (applicure.com):
“dotDefender is the market-leading software Web Application Firewall (WAF). dotDefender boasts enterprise-class security, advanced integration capabilities, easy maintenance and low total cost of ownership (TCO). dotDefender is the perfect choice for protecting your website and web applications today.”
Technical details
The log viewer facility in dotDefender does not properly htmlencode user supplied input. This leads to a cross site scripting vulnerability when the log viewer displays HTTP headers.
How to reproduce the issue
One may use curl and insert headers containing html tags using the --header switch.
Example:
curl "http://website.org/c?a=<script>" \
--header "<script>alert(1)</script>: aa"
When the administrator views the log viewer page, his/her web browser will execute the attacker’s javascript.
The following demo shows how an attacker can switch off dotDefender in order to bypass any “protection” offered by the WAF:
Timeline
- May 17, 2010: Initial contact
- Jun 01, 2010: Release of this advisory
Solution
Upgrade to the latest version of dotDefender: http://www.applicure.com/
Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.