Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[NETRAGARD SECURITY ADVISORY] [Cambium Group, LLC. CAMAS Content Management System -- Multiple Critical Vulnerabilities][NETRAGARD-20070820]
From: Netragard Advisories <advisories () netragard com>
Date: Tue, 24 Feb 2009 16:00:00 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

************************* Netragard,  L.L.C   
Advisory***************************

                                        The Specialist in Anti-Hacking.

[Posting Notice]
- -------------------------------------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated. The advisory can be found on the
Netragard website at http://www.netragard.com/

For more information about Netragard visit http://www.netragard.com

[Advisory Information]
- -------------------------------------------------------------------------------------------------
Contact                         : Adriel T. Desautels
Researcher                      : Kevin Finisterre
Advisory ID                     : NETRAGARD-20070820
Product Name            : CAMAS (Content Management System)
Product Version         : Unknown
Vendor Name             : Cambium Group, LLC.
Type of Vulnerability   : Multiple Critical Vulnerabilities
Impact                          : Critical
Vendor Notified         : 08/22/2007

[Product Description]
- -------------------------------------------------------------------------------------------------
"Cambium Group's content management system (CAMAS) give you
independence from outdated content and expensive "web masters". Let
the user-friendly interface of CAMAS save you time and money with the
freedom to manage your entire web channel yourself."

Taken From:
http://www.cambiumgroup.com/interior.php/pid/3/sid/3

[Technical Summary]
- -------------------------------------------------------------------------------------------------
The Cambium Group Content Management System (CAMAS) Failed most
Open Web Application Security Project ("OWASP") criterion during  
testing.
Specific  areas of vulnerability that were identified are as follows:

Note: A reference to each is provided at the following URL:

- --> https://www.owasp.org/index.php/Category:Vulnerability <--

[+] Authentication Testing (FAIL)
- -------------------------------------------------------------------------------------------------
CAMAS does not transport all authentication credentials over a secure
encrypted channel. It is possible to capture users credentials in  
transit.

[+] Code Quality Testing (FAIL)
- -------------------------------------------------------------------------------------------------
CAMAS does not follow industry best practices as defined by OWASP.
Specifically, CAMAS is missing critical security functionality that  
leaves
CAMAS powered websites open to attack by internet based hackers.

[+] Error Handling Testing (FAIL)
- -------------------------------------------------------------------------------------------------
CAMAS is missing proper error handling and event logging capabilities
as defined by OWASP. This lack of proper error handling and logging
results in information leakage that can be used by an attacker to  
further
compromise a CAMAS powered website.

[+] Input Validation Testing (FAIL)
- -------------------------------------------------------------------------------------------------
CAMAS does not perform proper Input Validation. In some areas CAMAS
does not perform any input validation.  As a result it is possible to  
execute
arbitrary database commands against databases that support CAMAS
powered websites. It is also possible to take control of CAMAS powered
websites, databases and web-servers. CAMAS does not use
Parameterized Stored Procedures which is the industry standard for
defending against SQL Injection.

[+] Logging and Auditing Testing (FAIL)
- -------------------------------------------------------------------------------------------------
CAMAS is missing Logging and Auditing functionality as defined by
OWASP.

[+] Password Management (FAIL)
- -------------------------------------------------------------------------------------------------
CAMAS does not perform proper password storage and management.
CAMAS does not properly support password aging, strong password
enforcement, or strong password cryptographic protection. During testing
Netragard was able to crack 98% of the passwords that were stored by
CAMAS.

[+] Sensitive Data Protection Testing (FAIL)
- -------------------------------------------------------------------------------------------------
CAMAS does not provide sufficient levels of Data Protection for
businesses whose users use CAMAS powered websites to access
sensitive information or to login to third party websites through login
forms hosted on CAMAS powered websites.

[Impact]
- -------------------------------------------------------------------------------------------------
[Impact varies from installation to installation]

- - Theft of customer data
- - Hijack online banking portal
- - Hijack online banking portal links
- - Capture data entered into forms
- - Dump database contents
- - Alter database contents
- - Gain access to server running CAMAS
- - Phish using XSS
- - Include files from remote locations
- - Include files from the file system
- - Information Disclosure
- - Website Defacement
- - etc.

[Proof Of Concept]
- -------------------------------------------------------------------------------------------------
Proof of concept code exists but is not provided as to not increase  
CAMAS
users overall risk levels. Any website that reads "Powered by the  
Cambium
Group, LLC." is a CAMAS powered website.

[Vendor Status and Chronology]
- -------------------------------------------------------------------------------------------------
08/06/2007 07:11:57 PM EDT - Vulnerabilities Discovered
08/24/2007 09:38:41 AM EDT - Cambium Group, LLC. Notified in full detail
08/24/2007 10:54:01 AM EDT - Cambium Group, LLC. Responds to  
Notification
08/27/2007 10:31:30 AM EDT - Conference Call Scheduled
08/29/2007 03:00:00 PM EDT - Held Conference call - Presented Solution
08/29/2007 03:00:00 PM EDT - Communication with the Cambium Group Faded
09/26/2008 11:17:35 PM EDT - Issues remain unfixed
02/09/2009 09:00:00 PM EDT - Issues remain unfixed
02/11/2009 03:44:19 PM EST - Whistle Blower FD Posting (No affiliation  
to Netragard)
02/11/2009 04:55:20 PM EST - Netragard Prepares Advisory for Release

[Solution]
- -------------------------------------------------------------------------------------------------
Netragard strongly recommends that the Cambium Group, LLC. modify
CAMAS to meet OWASP criterion as defined by the OWASP Testing Guide
version 3. CAMAS users can partially or entirely protect themselves by
installing a reverse application proxy such as BlueCoat(tm) or
ModSecurity2. Other Content Management Systems that meet industry
best practices with respect to security might also be considered.

[Disclaimer]
- -------------------------------------------------------------------------------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

This advisory is also published at:
http://www.netragard.com  -- and -- http://snosoft.blogspot.com



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkmkX9AACgkQ4fEyMUBMiWwYVwCfaQaeow9HNgzLeTrhxHLh5yfb
4RIAoM6So8KLOaKrvPOqHcXIhD/RFLSJ
=dhuu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault