Joint Trustwave's SpiderLabs Security Advisory TWSL2009-001 and EnableSecurity Advisory ES-20090500: Profense Web Application Firewall and Load Balancer multiple vulnerabilities Published: 2009-05-19 Version: 1.0 Vendor: Armorlogic (http://www.armorlogic.com/) Description: Profense is a web application firewall and load balancer designed to help organizations become compliant. it features scalability and acceleration of complex SSL-enabled web applications. Credit: Wendel Guglielmetti Henrique of Trustwave's SpiderLabs and Sandro Gauci of EnableSecurity. Finding 1 CVE: CVE-2009-1593 Versions affected: Versions 2.4.x prior to version 2.4.4 and versions 2.2.x prior to version 2.2.22 Cross-Site Scripting Filter Evasion (low-risk): Versions 2.4 and 2.2 of Profense Web Application Firewall with the default configuration in negative model (blacklist approach) can be evaded to inject Cross-Site Scripting (XSS). The problem is due to the built-in core rules that can be abused using the flexibility provided by HTML and JavaScript. The vulnerability can be reproduced by injecting a common XSS attack in a vulnerable application protected by Profense Web Application Firewall. Inserting extra characters in the JavaScript close tag will bypass the XSS protection mechanisms. An example is shown below: http://testcases/phptest/xss.php?var=abcdef%3Cembed%3Eaaaaaaa%3Cscript%3 Ealert(document.cookie)%3C/script%20ByPass%3E Vendor Response: This issue is resolved in version 2.4.4. Finding 2 CVE: CVE-2009-1594 Versions affected: Versions 2.4.x prior to version 2.4.4 and versions 2.2.x prior to version 2.2.22 White-List Filter Evasion (medium-risk): Versions 2.4 and 2.2 of Profense Web Application Firewall configured with the strong positive model (white-list approach) can be evaded to launch various attacks including XSS (Cross-Site Scripting), SQL Injection, remote command execution, and others. The vulnerability can be reproduced by making use of a URL-encoded new line character. The pattern matching in multi line mode matches any non-hostile line and marks the whole request as legitimate, thus allowing the request. This results in a bypass in the positive model. An example is showed below: http://testcases/phptest/xss.php?var=%3CEvil%20script%20goes%20here%3E=% 0AByPass Vendor Response: This issue is resolved in version 2.4.4. Vendor Communication Timeline: Oct 10, 2008: Initial contact. Oct 10, 2008: Confirmation of the vulnerabilities. Oct 11, 2008: Discussion of possible fixes. Oct 13, 2008: Fix from Armorlogic complete. Oct 14, 2008: Fix issued to customers. May 19, 2009: Advisory public release. Revision History: 1.0 Initial Publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper(r) compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations-ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers-manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, ethical hacking and application security tests for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderLabs.php Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.