epesi BIM Security Vulnerabilities Notification

htbridge

Hello,

High-Tech Bridge Security Research Lab has discovered multiple security vulnerabilities in your product - epesi BIM.

Developers can contact us by email advisory (at) htbridge.ch for details.

Preview: ~~[url=https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_epesi_bim.html]~~https://www.htbridge.ch/advisory/multip ... i_bim.html[/url]

For any questions related to this notification email - please visit our General Information & Disclosure Policy page: ~~[url=http://www.htbridge.ch/advisory/disclosure_policy.html]~~http://www.htbridge.ch/advisory/disclosure_policy.html[/url]

Best regards,

High-Tech Bridge SA Security Research Lab

ethnar

Hello,

Just wanted to inform the community that we're aware of this issue and it'll be taken care of in the next release, coming up really soon.

The exploit is related to the /admin panel and doesn't work around authentication, so the only affected party could be super-admin.

Admin directory is the collection of some scripts and third party tools wrapped in a simple admin interface to allow manipulation of files and database in case of epesi not functioning without need to access your hosted installation via ssh, FTP or utilities like cPanel.
It inlcudes utilities like:
- A web-based file browser written in PHP - http://www.webfilebrowser.org/
- phpFileManager 0.9.3 - http://phpfm.sf.net
- PHP Mini MySQL Admin - http://phpminiadmin.sourceforge.net
- phpinfo and some custom scripts written by epesi team.
Each of them requires authentication - the user has to be logged in as a superadministrator. Therefore the risk of such an exploit is minimal.

However - if you are concerned about this issue, you can safely remove /admin panel from your installation, removing all chances to use the vulnerability. Deleting this folder won't affect epesi stability or data.
We'll be removing that interface from the package and place it as separate tool available for download, with aforementioned issues fixed.

Thanks for reading,
Arek

jasiek

New version of epesi was released today - version 1.2.2
http://sourceforge.net/projects/epesi/

This release does not include admin tools - if you need to use it, it can be downloaded from here:
http://sourceforge.net/projects/epesi/f ... _admin.zip
Admin tools should be used only for recovery (if something is not ok with epesi) and removed if not needed.
Explanation:
- themeup.php script is fixed now and it is secure.
- other scripts are third party apps and won't be fixed - they are exploitable only if user has super administrator rights, so there is almost no risk to use vulnerability.

This release addresses the following vulnerability:
==========================================

Vulnerability ID: HTB23061
Reference: https://www.htbridge.ch/advisory/multip ... i_bim.html
Product: epesi BIM
Vendor: Telaxus LLC ( http://www.epesibim.com/ )
Vulnerable Version: 1.2.0-rev8154 and probably prior
Tested Version: 1.2.0-rev8154
Public Disclosure: 21 December 2011
Vulnerability Type: XSS (Cross Site Scripting)
Risk level: Medium
Credit: High-Tech Bridge SA Security Research Lab ( https://www.htbridge.ch/advisory/ )

Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in epesi BIM, which can be exploited to cross-site scripting attacks.

1) Input passed via the "dir_atual" GET parameter to /admin/phpfm.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC code is available:

http://[host]/admin/phpfm.php?frame=3&dir_atual=%3Cscript%3Ealert%28123%29;%3C/script%3E

2) Input appended to the URL after /admin/themeup.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site

The following PoC code is available:

http://[host]/admin/themeup.php/%22%3E%3Cscript%3Ealert%28123%29;%3C/script%3E

Successful exploitation of this vulnerabilities requires that Apache's directive "AcceptPathInfo" is set to "on" or "default" (default value is "default")

3) Input passed via the "msg" GET parameter to /admin/wfb.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.

The following PoC code is available:

http://[host]/admin/wfb.php?msg=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

Best regards,

High-Tech Bridge SA Security Research Lab
====================================

misaj

As an end user, I like when things like this are dealt with in a timely manner. Nice one!

Misaj

Epesi ENS | Epesi Academy | epesi.cloud PaaS | GitHub

Help Me! | Download from SourceForge