An advisory by EnableSecurity.
Affected Versions: version 4.0
Fixed versions: 4.01-3 (and later)
Applicure dotDefender is a Web Application Firewall that can be installed on
Windows and Linux servers.
From their website (applicure.com):
"dotDefender is the market-leading software Web Application Firewall (WAF).
dotDefender boasts enterprise-class security, advanced integration capabilities,
easy maintenance and low total cost of ownership (TCO). dotDefender is the
perfect choice for protecting your website and web applications today. "
These vulnerabilities were discovered during WAF testing by Sandro Gauci of
EnableSecurity. We contacted AppliCure on May 17, 2010 about this vulnerability.
They were already working on a fix.
The log viewer facility in dotDefender does not properly htmlencode user
supplied input. This leads to a cross site scripting vulnerability when the log
viewer displays HTTP headers.
One may use curl and insert headers containing html tags using the --header
curl "http://website.org/c?a=<script>" \
--header "<script>alert(1)</script>: aa"
When the administrator views the log viewer page, his/her web browser will
The following demo shows how an attacker can switch off dotDefender in order to
bypass any "protection" offered by the WAF:
May 17, 2010: Initial contact
Jun 01, 2010: Release of this advisory
Upgrade to the latest version of dotDefender: