mailing list archives
Applicure Technologies response
From: tomer () applicure com
Date: 8 Dec 2009 17:30:27 -0000
On November 30th 2009, an anonymous person published a method for dotDefender authenticated administrators to run
limited shell commands using remote command execution via a POST parameter which has been successfully tested against
dotDefender 3.X for Apache on Linux/UNIX platforms (http://www.securityfocus.com/archive/1/508124).
Yesterday, December 2nd 2009, Applicure issued a fix for this issue, available at
A simple extraction of index1.cgi and replacement of the existing file at: /usr/local/APPCure-full/lib/admin/index1.cgi
shall suffice to harden the administrative console against this vulnerability.
Nevertheless, at no time have dotDefender users been under any type of threat due to the following:
1. This vulnerability does not compromise the dotDefender Web Application Firewall
2. A user must be logged into the administrative console, effectively possessing administrative privileges on the Web
3. The consequent freedom of action is restricted under the Apache process privileges
Applicure does not recommend that Web server administrators try the abovementioned attack on their dotDefender
In any case, other, non-privileged users will not be able to execute this attack.
Applicure encourages security testers to report any vulnerability that may be found in its products in a formal appeal,
acting responsibly and allowing at least a week's noticeto fix the vulnerability, as is customary in the information
security community, before publishing it.
For any additional information or inquiries please contact Applicure support team.
- Applicure Technologies response tomer (Dec 08)