Home page logo

fulldisclosure logo Full Disclosure mailing list archives

phion airlock Web Application Firewall:
From: "Kirchner Michael" <sec08003 () fh-hagenberg at>
Date: Wed, 1 Jul 2009 08:12:58 +0200


Security Advisory


Vulnerable Software:     phion airlock Web Application Firewall

Vulnerable Version:        4.1-10.41

Homepage:                        http://www.phion.com/

Found by:                            Michael Kirchner, Wolfgang
Neudorfer, Lukas Nothdurfter (Team h4ck!nb3rg)  

Impact:                                 Remote Denial of Service via
Management Interface (unauthenticated) and Command Execution



Product Description


phion's web application firewall (WAF) airlock provides a unique
combination of protective mechanisms for web applications. Whether you
want to observe PCI DSS, safeguard online banking or protect e-commerce
applications:  airlock ensures sustained and manageable web application




Vulnerability Description


The phion airlock Web Application Firewall operates as a reverse proxy
between the clients and the web server to be protected. All HTTP
requests are checked before being forwarded to the web server. The
system can be administered via a seperate management interface which is
normally not accessible for external users. By sending a specially
crafted HTTP GET request an attacker with access to the management
interface (but no authentication needed) is able to conduct a denial of
service attack. The vendor describes the vulnerability as follows:

"The airlock Configuration Center shows many system monitoring charts to
check the system status and history. These images are generated on the
fly by a CGI script, and the image size is part of the URL parameter.
Unreasonably large values for the width and height parameters will cause
excessive resource consumption. Depending on the actual load and the
memory available, the system will be out-of-service for some minutes or
crash completely, making a reboot necessary."

[Source: https://techzone.phion.com/dos-vulnerability-4.1-sysmon-images]

Further research showed that the vulnerability can also be used to
execute arbitrary system commands. This allows attackers to run
operating system commands under the user of the web server
(uid=12359(wwwca) gid=54329(wwwca)).



Proof of Conept


A denial of service or execution of arbitrary system commands can be
accomplished by a single HTTP request if an attacker can reach the
management interface IP address of the WAF. According exploits will not
be published.



Vulnerable Versions


The tested version was 4.1-10.41. Prior versions are also likely to be





The vendor provides a hotfix as well as an updated version of the

The hotfix can be downloaded at:



Contact Timeline


2009-04-27: Vendor informed

2009-04-28: Inital vendor reply

2009-04-29: Vulnerability confirmed and manual workaround available at
phion techzone

2009-05-12: Hotfix and updated version available

2009-07-01: Public release 



Further information


Information about the web application firewall project this advisory
originates from can be found at:




Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • phion airlock Web Application Firewall: Kirchner Michael (Jul 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]