--nKCD8TRXXrSNdoS3wWHrepa7ErFFHn16g Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable =3D=3D=3D LSE Leading Security Experts GmbH - Security Advisory 2014-04-1= 0 =3D=3D=3D Sitepark Information Enterprise Server (IES) - Unauthenticated Access --------------------------------------------------------------------- Affected Versions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Information Enterprise Server (IES) Version 2.9 until 2.9.6 Issue Overview =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Technical Risk: high Likelihood of Exploitation: medium Vendor: Sitepark GmbH Credits: LSE Leading Security Experts GmbH employees Markus Vervier and Sascha Kettler Advisory URL: https://www.lsexperts.de/advisories/lse-2014-04-10.txt Advisory Status: Public CVE-Number: CVE-2014-3006 Issue Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D While conducting a penetration test LSE Leading Security Experts GmbH discovered that the installer of the Information Enterprise Server (IES) was available to unauthenticated users over HTTP. When updating from previous versions of IES, an installation form was not= disabled after installation. In this case the servlet "/ies/install" was exposed to unauthenticated users. By accessing the servlet at URI "/ies/install/" on an affected IES server= , an unauthenticated attacker was able to set a new password for the manage= r account. Additionally sensitive information regarding the IES installation was displayed. Temporary Workaround and Fix =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D LSE Leading Security Experts GmbH advises to prevent access to the URI "/ies/install/" by configuring web servers or proxy servers according= ly. For example using the Apache webserver a "Directory" directive would be needed: <Location /ies/install> Order Deny,Allow Deny from all Satisfy all </Location> A hotfix is available from the vendor via the automatic update functional= ity for IES versions 2.9 until 2.9.6. Impact =3D=3D=3D=3D=3D=3D An attacker is able to learn the license key and sensitive directory name= s of the IES. Additionally the password for the account "manager" can be reset which grants full access rights with the management role. According to the vendor this issue affects only installations that are updated from previous versions of IES to versions 2.9 until 2.9.6. History =3D=3D=3D=3D=3D=3D=3D 2014-04-02 Issue discovered 2014-04-03 Vendor informed by customer, Vendor released hotfix and updated managed installations 2014-04-16 Permission of customer for advisory 2014-04-16 Direct vendor contact 2014-04-22 Vendor reply 2014-04-27 CVE assigned 2014-04-30 Advisory publicly released --=20 http://www.lsexperts.de LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Tel: +49 6151 86086-0, Fax: -299 Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschaeftsfuehrer: Oliver Michel, Sven Walther --nKCD8TRXXrSNdoS3wWHrepa7ErFFHn16g Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTYRvEAAoJEDgSCSGZ4yd8AQgQAL5G55Sotbth6wz2UEpmp1jS bR9XH210Evokl0qHIduy4q9wkWQNG+HsP3tpqNtcNlkHpv7s/Q5BI43PSijE6TGl wOwqVMg3NG0MictGQ6G19lFuxg9SCWRcWioAg85eAYtYVfS+mOtxCfSJ4nxEN+7D 76o+ExDLyVcNsP4NwNxArpoTu43eOXciy4ziDHGKiCk3nIV2AqG0MXFe7YR/3c4f Wkpk2l940gbPT1cjGYglPcOwXgOSG8hvKutRhwzrdauXlF9I/wMt8JhBnAPHfHT3 A+RoAmVjeIQ4f8XRF5t9YPBma2M49ZWjuV5UFS3yWtvJNlz/0AoH+nRm9wihB8W5 I9QI2+7FEU/kdtVgEAJ+nPOv/0wTJdyUlA6hbiTZK58uIkE0il4L/mUWgMuziG7y Pk5qxDF9u+inwRRQSRztg2XbRK/whdUSyPtB5ofnuFUzFOhzl/L0s3DzkocCo1RZ FdkV2XRxfrHYmiCnRlmdXRVJvsC3iYaTA5ecNKZ5syKWQx470OswlTI66QuAXgr4 aYTjUWtU13AkRe/Rupt7CIGbyaWWXnj+aJmKLnhCyORaTDsga7SkNvhz500QAVAx YbphEx/0/YPXP1rG8leeURjjLESDJhqJJLWrJw/Y5fhq9jTQCR10nv/Z6YHLuL8V deNiyeRuIDJroJbBXeX8 =uhOR -----END PGP SIGNATURE----- --nKCD8TRXXrSNdoS3wWHrepa7ErFFHn16g--