Security Incidents Fixed
|
CSAL-ID |
Date |
Vendor |
Advisory |
CVE Number |
Vulnerability overview |
Description |
|
51 |
12-Jan-24 |
WP500-VN00001 |
WP500 Authorization |
NA |
Authorisation or authentication |
OTP bypass is possible. It was found that OTP validation is happening on the client side, and not the server side. By trapping an OTP success response, and injecting it into an OTP failure response, the bypass is possible whereby a bogus or wrong OTP can be used. |
|
|
|
|
|
|
|
http://192.168.1.150/imageServlet |
|
52 |
12-Jan-24 |
WP500-VN00002 |
WP500 unprivileged access |
NA |
Unprivileged Access of Privilege URLs |
Unprivileged Access of Privilege URLs (i.e. URLs/links accessible only after login) is possible. If hacker simply knows the URL she/he can enter the URL manually in the browser and hit enter, after which the contetn or data of that URL is accessible to any user without any validation or authorization. |
|
|
|
|
|
|
|
http://192.168.1.150/DownloadLogServlet?log_file=WP500_2020-09-20_10-16-12.log |
|
53 |
12-Jan-24 |
WP500-VN00003 |
WP500 CSRF Attack |
NA |
CSRF Attack Possible on Various Forms |
Cross site request forgery (CSRF) attack possible on the forms mentioned below. This can let attacker sit remotely, create a dummy form and submit it using victim's valid session who is already logged in, either via a chat application or a phishing attack. From technical point of view, this is possible due to the lack of CSRF token in HTTP POST form which makes it vulnerable to a remote request forgery. Replicating this problem is not easy however please read solution mentioned below to fix the issue. |
|
|
|
|
|
|
|
1) CSRF - Parameter - Delete , Edit, Add |
|
|
|
|
|
|
|
URL - |
|
|
|
|
|
|
|
http://192.168.1.150/OPCUAClientServlet |
|
|
|
|
|
|
|
2) Parameter - Delete , Add |
|
|
|
|
|
|
|
http://192.168.1.150/tagMapping |
|
|
|
|
|
|
|
3) Parameter - Add, Edit , Delete |
|
|
|
|
|
|
|
http://192.168.1.150/jsonBuilderServlet |
|
|
|
|
|
|
|
4) Parameter - Edit, Add, Delete |
|
|
|
|
|
|
|
http://192.168.1.150/userServlet |
|
54 |
12-Jan-24 |
WP500-VN00004 |
WP 500 CSV |
NA |
CSV Injection Attack Found |
CSV injection attack was found on the mentioned URL: |
|
|
|
|
|
|
|
Steps to replicate the attack: |
|
|
|
|
|
|
|
1. Login using wp500 |
|
|
|
|
|
|
|
2. Go to Tag mapping under Service tab |
|
|
|
|
|
|
|
3. Add record and give tag name as =calc|a!z command |
|
|
|
|
|
|
|
4. Save this record. Then click on Export Data |
|
|
|
|
|
|
|
5. Open the downloaded Xlsx and you will see that the command will get executed then calculator will get open. |
|
|
|
|
|
|
|
URL - http://192.168.1.150/TagMapping.jsp |
|
|
|
|
|
|
|
Parameter - Tag Name, PV address |
|
CSAL#55 |
12-Jan-24 |
WP500-VN00005 |
WP500 Vulnerable apache |
NA |
Vulnerable Apache Tomcat Version Found |
Vulnerable version of Apache Tomcat was found in usage with multiple vulnerabilities i.e. Apache Tomcat: Important: Remote Code Execution (CVE-2016-8735) (apache-tomcat-cve-2016-8735), (CVE-2017-5651) (apache-tomcat-cve-2017-5651), (CVE-2018-8014) (apache-tomcat-cve-2018-8014), (CVE-2022-25762) (apache-tomcat-cve-2022-25762) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Vulnerable software installed: Apache Tomcat 8.5.5 |
|
CSAL#56 |
12-Jan-24 |
WP500-VN00006 |
WP500 Privilege Escalation |
NA |
Privilege Escalation via Form Submission |
Privilege escalation is possible by entire form of a HTTP POST or HTTP GET Request. Steps to replicate the attack: |
|
|
|
|
|
|
|
1. Login as admin user. |
|
|
|
|
|
|
|
2. Capture the below POST requests using a proxy tool and save these requests in the repeater. |
|
|
|
|
|
|
|
3. Logout of admin and login as operator user. |
|
|
|
|
|
|
|
4. Now, repeat the above-saved requests using the session of the operator user. |
|
|
|
|
|
|
|
5. The operator will be able to perform the mentioned actions which are disabled in the application. |
|
|
|
|
|
|
|
6. To verify the same, login back as admin and check the changes made by the operator are updated. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
URLs: |
|
|
|
|
|
|
|
https://192.168.1.150/userServlet |
|
|
|
|
|
|
|
user_action= update, delete, update_user_password, add |
|
|
|
|
|
|
|
https://192.168.1.150/BasicConfigurationServlet |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Note: Similarly for all such POST requests |
|
CSAL#57 |
12-Jan-24 |
WP500-VN00007 |
WP500 x frame option |
NA |
Click jacking Due to Missing X-Frame-Options Header |
Found Click jacking: X-Frame-Options header missing. This can result in letting the browser allow to render a webpage in a <frame> or <script>, thus making it a spam-supporter for malicious websites. |
|
CSAL#58 |
12-Jan-24 |
WP500-VN00008 |
WP 500 HTTPs |
NA |
Insecure Transition from HTTPS to HTTP |
Found Insecure transition from HTTPS to HTTP in form post, possible information disclosure or Man-in-the-middle attack chances. |
|
CSAL#59 |
12-Jan-24 |
WP500-VN00009 |
WP 500 TLS support |
NA |
TLS Server Supports Outdated TLS 1.0 |
TLS Server Supports TLS version 1.0 (tlsv1_0-enabled) |
|
CSAL#60 |
12-Jan-24 |
WP500-VN00010 |
WP 500 session limit |
NA |
No Limit on Concurrent Sessions |
There was no limit found to be implemented for the number of concurrent sessions per interface for any given user (human, software process or device). |
|
CSAL#61 |
12-Jan-24 |
WP500-VN00011 |
WP 500 web server |
NA |
Error Page Discloses Web Server Details |
Error page discloses web server details. |
|
CSAL#62 |
12-Jan-24 |
WP500-VN00012 |
WP 500 form fields |
NA |
Autocomplete Enabled on Form Fields |
Form fields with Autocomplete enabled found. ?This can make the form data prone to client side human based or trojan based attacks, leading to data confidentiality loss. |
|
|
|
|
|
|
|
|
|
CSAL#63 |
12-Jan-24 |
WP500-VN00013 |
WP500 web securities |
NA |
Missing HTTP Security Headers |
Following HTTP security headers are missing: |
|
|
|
|
|
|
|
Content Security Policy (CSP), X-frame-options, Strict-Transport-Security, X-Content-Type-Options |
|
CSAL#64 |
12-Jan-24 |
WP500-VN00014 |
WP 500 apache tomcat files |
NA |
Default Apache Tomcat Files Present |
Apache Tomcat Default Files. The remote web server contains default files. |
|
|
|
|
|
|
|
The following default files were found : |
|
|
|
|
|
|
|
http://taswp500/docs/ |
|
|
|
|
|
|
|
http://taswp500/examples/servlets/index.html |
|
|
|
|
|
|
|
http://taswp500/examples/jsp/index.html |
|
|
|
|
|
|
|
http://taswp500/examples/websocket/index.xhtml |
|
CSAL#65 |
12-Jan-24 |
WP500-VN00015 |
WP500 open port |
NA |
Open Ports Found Internally |
Following ports were found open internally: |
|
|
|
|
|
|
|
192.168.1.150 open ports = 80 , 443, 502, 1200, 5355, 6801, 8009, |
|
|
|
|
|
|
|
9000, 12686 |
|
CSAL#66 |
12-Jan-24 |
WP500-VN00016 |
WP500 vulnerabilities |
NA |
No Vulnerabilities Found with Auxiliary Scans on Open Ports |
Payloads,exploits and auxiliaries performed on open ports found on these IP's : |
|
|
|
|
|
|
|
IP - 192.168.1.150 on all corresponding open ports |
|
|
|
|
|
|
|
auxiliary/scanner/http/ssl , auxiliary/scanner/ssl/openssl_heartbleed, auxiliary/scanner/http/http_version, auxiliary/scanner/http/options, auxiliary/scanner/http/robots_txt ,auxiliary/admin/http/tomcat_utf8_traversal and more .. . . . |
Created with the Personal Edition of HelpNDoc: Powerful and User-Friendly Help Authoring Tool for Markdown Documents