Everybody love everybody? On Tue, Feb 24, 2009 at 4:49 PM, <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dear SNOSOFT, > > Thanks to you for proving every insult made to your company as > truths. Demonstrating monstrous volume of elementary computer > hacking features in some unnamed and unknown web based interface > does separate you from the Valdis's of the community, but not by > much. > > You sirs should return to crying about children hijacking your xbox > live accounts after defeating you in video games, and leave the > more advanced computer security web hacking to Stefan Esser and his > technical James Bond xbox hacking team. > > Also please learn to better format your pasted advisories to this > list. > > thanks and all the best to you, > - -bm > > On Tue, 24 Feb 2009 16:00:00 -0500 Netragard Advisories > <[email protected]> wrote: > >************************* Netragard, L.L.C > >Advisory*************************** > > > > The Specialist in Anti-Hacking. > > > >[Posting Notice] > >------------------------------------------------------------------- > >------------------------------ > >If you intend to post this advisory on your web page please create > >a > >clickable link back to the original Netragard advisory as the > >contents > >of the advisory may be updated. The advisory can be found on the > >Netragard website at http://www.netragard.com/ > > > >For more information about Netragard visit > >http://www.netragard.com > > > >[Advisory Information] > >------------------------------------------------------------------- > >------------------------------ > >Contact : Adriel T. Desautels > >Researcher : Kevin Finisterre > >Advisory ID : NETRAGARD-20070820 > >Product Name : CAMAS (Content Management System) > >Product Version : Unknown > >Vendor Name : Cambium Group, LLC. > >Type of Vulnerability : Multiple Critical Vulnerabilities > >Impact : Critical > >Vendor Notified : 08/22/2007 > > > >[Product Description] > >------------------------------------------------------------------- > >------------------------------ > >"Cambium Group's content management system (CAMAS) give you > >independence from outdated content and expensive "web masters". > >Let > >the user-friendly interface of CAMAS save you time and money with > >the > >freedom to manage your entire web channel yourself." > > > >Taken From: > >http://www.cambiumgroup.com/interior.php/pid/3/sid/3 > > > >[Technical Summary] > >------------------------------------------------------------------- > >------------------------------ > >The Cambium Group Content Management System (CAMAS) Failed most > >Open Web Application Security Project ("OWASP") criterion during > >testing. > >Specific areas of vulnerability that were identified are as > >follows: > > > >Note: A reference to each is provided at the following URL: > > > >--> https://www.owasp.org/index.php/Category:Vulnerability <-- > > > >[+] Authentication Testing (FAIL) > >------------------------------------------------------------------- > >------------------------------ > >CAMAS does not transport all authentication credentials over a > >secure > >encrypted channel. It is possible to capture users credentials in > > > >transit. > > > >[+] Code Quality Testing (FAIL) > >------------------------------------------------------------------- > >------------------------------ > >CAMAS does not follow industry best practices as defined by OWASP. > >Specifically, CAMAS is missing critical security functionality > >that > >leaves > >CAMAS powered websites open to attack by internet based hackers. > > > >[+] Error Handling Testing (FAIL) > >------------------------------------------------------------------- > >------------------------------ > >CAMAS is missing proper error handling and event logging > >capabilities > >as defined by OWASP. This lack of proper error handling and > >logging > >results in information leakage that can be used by an attacker to > > > >further > >compromise a CAMAS powered website. > > > >[+] Input Validation Testing (FAIL) > >------------------------------------------------------------------- > >------------------------------ > >CAMAS does not perform proper Input Validation. In some areas > >CAMAS > >does not perform any input validation. As a result it is possible > >to > >execute > >arbitrary database commands against databases that support CAMAS > >powered websites. It is also possible to take control of CAMAS > >powered > >websites, databases and web-servers. CAMAS does not use > >Parameterized Stored Procedures which is the industry standard for > >defending against SQL Injection. > > > >[+] Logging and Auditing Testing (FAIL) > >------------------------------------------------------------------- > >------------------------------ > >CAMAS is missing Logging and Auditing functionality as defined by > >OWASP. > > > >[+] Password Management (FAIL) > >------------------------------------------------------------------- > >------------------------------ > >CAMAS does not perform proper password storage and management. > >CAMAS does not properly support password aging, strong password > >enforcement, or strong password cryptographic protection. During > >testing > >Netragard was able to crack 98% of the passwords that were stored > >by > >CAMAS. > > > >[+] Sensitive Data Protection Testing (FAIL) > >------------------------------------------------------------------- > >------------------------------ > >CAMAS does not provide sufficient levels of Data Protection for > >businesses whose users use CAMAS powered websites to access > >sensitive information or to login to third party websites through > >login > >forms hosted on CAMAS powered websites. > > > >[Impact] > >------------------------------------------------------------------- > >------------------------------ > >[Impact varies from installation to installation] > > > >- Theft of customer data > >- Hijack online banking portal > >- Hijack online banking portal links > >- Capture data entered into forms > >- Dump database contents > >- Alter database contents > >- Gain access to server running CAMAS > >- Phish using XSS > >- Include files from remote locations > >- Include files from the file system > >- Information Disclosure > >- Website Defacement > >- etc. > > > >[Proof Of Concept] > >------------------------------------------------------------------- > >------------------------------ > >Proof of concept code exists but is not provided as to not > >increase > >CAMAS > >users overall risk levels. Any website that reads "Powered by the > > > >Cambium > >Group, LLC." is a CAMAS powered website. > > > >[Vendor Status and Chronology] > >------------------------------------------------------------------- > >------------------------------ > >08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered > >08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full > >detail > >08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to > >Notification > >08/27/2007 10:31:30 AM EDT - Conference Call Scheduled > >08/29/2007 03:00:00 PM EDT - Held Conference call - Presented > >Solution > >08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group > >Faded > >09/26/2008 11:17:35 PM EDT - Issues remain unfixed > >02/09/2009 09:00:00 PM EDT - Issues remain unfixed > >02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No > >affiliation > >to Netragard) > >02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for > >Release > > > >[Solution] > >------------------------------------------------------------------- > >------------------------------ > >Netragard strongly recommends that the Cambium Group, LLC. modify > >CAMAS to meet OWASP criterion as defined by the OWASP Testing > >Guide > >version 3. CAMAS users can partially or entirely protect > >themselves by > >installing a reverse application proxy such as BlueCoat(tm) or > >ModSecurity2. Other Content Management Systems that meet industry > >best practices with respect to security might also be considered. > > > >[Disclaimer] > >------------------------------------------------------------------- > >------------------------------ > >Netragard, L.L.C. assumes no liability for the use of the > >information > >provided in this advisory. This advisory was released in an effort > >to > >help the I.T. community protect themselves against a potentially > >dangerous security hole. This advisory is not an attempt to > >solicit > >business. > > > >This advisory is also published at: > >http://www.netragard.com -- and -- http://snosoft.blogspot.com > -----BEGIN PGP SIGNATURE----- > Charset: UTF8 > Version: Hush 3.0 > Note: This signature can be verified at https://www.hushtools.com/verify > > wpwEAQMCAAYFAkmkayYACgkQhNp8gzZx3sj3MQP/VLhX6DVzCHv0bB7X4hpsZgR9sNZG > yTznxGMvlxtqUvjAq1ssR/gX2826a9WKS6tclsvOXu+1CrB+1yulG6uTI9t7NmDIpp/j > +zC9v9sztE9gm/Rj3IoSC33U37g6os3NkYsYZ/La/LCx4GLflkAvPN6fbcgPW0E3wwfs > q4uRjsU= > =B3aD > -----END PGP SIGNATURE----- > > -- > Become a medical transcriptionist at home, at your own pace. > > http://tagline.hushmail.com/fc/BLSrjkqfMmeOwR2r84s2x0D7IaMZV2tdQQpFcchXy4aCudZvRFDOuayrUK8/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
