-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2014-2233 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D "Server-Side Request Forgery" (CWE-918) vulnerability in "infoware = MapSuite" Vendor =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D infoware GmbH Product =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D MapSuite Affected versions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This vulnerability affects versions of MapSuite MapAPI prior to 1.0.36 = and 1.1.49 Fixed versions =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D MapSuite MapAPI 1.0.36 and 1.1.49=20 Both patches are available since 2014-03-26. Reported by =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This issue was reported to the vendor by Christian Schneider = (@cschneider4711)=20 following a responsible disclosure process. Severity =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Medium Exploitability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D No authentication required Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Using a specially crafted URL to access the MapAPI it is possible to = issue=20 HTTP(S) GET requests originating from the attacked server (behind the = firewall)=20 and to read the response. This enables attackers to access web servers = that are not exposed to be accessed from the internet and thus allows to pivot = further into the targeted network. Proof of concept =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Due to the responsible disclosure process chosen and to not harm = unpatched systems,=20 no concrete exploit code will be presented in this advisory. Migration =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D MapSuite MapAPI 1.0.x users should upgrade to 1.0.36 or later as soon as = possible. MapSuite MapAPI 1.1.x users should upgrade to 1.1.49 or later as soon as = possible. See also =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D CVE-2014-2232 as another vulnerability in the same module, which can be = exploited=20 as an Absolute Path Traversal via the same input parameter. Timeline =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D 2014-02-20 Vulnerability discovered 2014-02-20 Vulnerability responsibly reported to vendor 2014-02-21 Reply from vendor acknowledging report 2014-02-26 Reply from vendor with first patch (version 1.0.34 and = 1.1.47) meanwhile Testing of the patch by the reporting researcher = (Christian Schneider) 2014-03-20 Reported to vendor that first patch could by bypassed meanwhile Conversation about fix strategies between vendor and = reporting researcher 2014-03-26 Reply from vendor with updated patch (version 1.0.36 = and 1.1.49) meanwhile Verification of the patch by reporting researcher + = vendor informed customers 2014-06-01 Advisory published in coordination with vendor via = BugTraq References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D http://www.christian-schneider.net/advisories/CVE-2014-2233.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAlOLV74ACgkQXYAsOfddvFPrWgCgjqejfrV/Ro2b8aC4RQ+UHdGG AoEAmgN82HZQgDspcd25PJxSBxXWalBw =3Dnu9C -----END PGP SIGNATURE-----