Full Disclosure mailing list archives
FW: Re[2]: Radware AppWall Web Application Firewall: Source code disclosure on management interface
From: "Shaked Vax" <ShakedV () Radware com>
Date: Mon, 6 Jul 2009 15:18:41 +0300
Hello Vladimir Let's clarify what is the .inc vulnerability all about: In order to take advantage of this vulnerability one needs to: 1. Have access to internal AppWall management URL 2. Have credentials (user and password) of the AppWall Web Interface. Without the credentials one cannot access the /Management/ folder at all ! Once you have access to the .inc file you can retrieve the server's source code. In most applications it is not "a good practice" (to say the least) to expose your source code even your authenticated users. In AppWall's case there is nothing interesting to hide in the inc files, since if you have credentials, and you are looking to cause harm to the system, you can simply shutdown the AppWall service, change its IP address etc'. PHP source code is not interesting in this case. This is not a critical issue and should be taken in relevant proportions. Regards, Shaked Vax -----Original Message----- From: Vladimir '3APA3A' Dubrovin [mailto:3APA3A () SECURITY NNOV RU] Sent: Friday, July 03, 2009 15:58 PM To: Shaked Vax Cc: full-disclosure () lists grok org uk Subject: Re[2]: [Full-disclosure] radware AppWall Web Application Firewall: Source code disclosure on management interface Dear Shaked Vax, Are you sure Radware Team have analysed reflected attack via user's browser (AppWall administrator visits malcrafted page, page redirects his request to AppWall) before excluding remote vector? --Thursday, July 2, 2009, 3:23:16 PM, you wrote to full-disclosure () lists grok org uk: SV> Radware team has completed analysis of the reported issue, concluding SV> that no AppWall customer using the product according to Radware SV> deployment recommendations would be exposed to vulnerability as a result SV> of this issue. This is due to the facts that this issue exists only on SV> the management interface that is recommended to be connection to SV> internal LAN only, and that it does not allow performing any actions SV> that would influence machine functionality. SV> Nevertheless, in order to enforce our commitment to deliver top SV> security solution to our customers, Radware will supply a fix for this SV> issue within its upcoming AppWall release. SV> Shaked Vax SV> AppWall Product Manager SV> ShakedV () radware com SV> _______________________________________________ SV> Full-Disclosure - We believe in it. SV> Charter: http://lists.grok.org.uk/full-disclosure-charter.html SV> Hosted and sponsored by Secunia - http://secunia.com/ -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Но Гарри... я безусловно отдаю предпочтение ему, за высокую питательность и какое-то особенно нежное мясо. (Твен) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- FW: Re[2]: Radware AppWall Web Application Firewall: Source code disclosure on management interface Shaked Vax (Jul 06)