Details of VAR-201105-0113

ID

VAR-201105-0113

CVE

CVE-2011-1902

TITLE

Proofpoint Protection Server contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#790980

DESCRIPTION

Directory traversal vulnerability in the web interface in Proofpoint Messaging Security Gateway 6.2.0.263:6.2.0.237 and earlier in Proofpoint Protection Server 5.5.3, 5.5.4, 5.5.5, 6.0.2, 6.1.1, and 6.2.0 allows remote attackers to read arbitrary files via unspecified vectors. Proofpoint Protection Server Has multiple vulnerabilities. Proofpoint Protection Server Includes authentication bypass, command injection, SQL Multiple vulnerabilities exist, including injection and directory traversal. Clear Skies Security's advisory of TECHNICAL DETAILS Describes each vulnerability as follows: "Enduser Authentication Bypass User-level access to the Proofpoint mail filter web interface can be obtained as any available user without providing the user’s login credentials. Proofpoint SQL Injection A publicly accessible function in the Proofpoint interface is vulnerable to SQL Injection. Proofpoint Command Injection A function in the Proofpoint web interface can be manipulated into executing any command on the server. Proofpoint Forced Browsing / Insufficient Page Authorization Some administrative modules are accessible without authenticating with the application."A remote attacker could execute arbitrary commands or download arbitrary files. An authentication-bypass vulnerability 2. A command-injection vulnerability 3. An SQL-injection vulnerability 4. A security-bypass vulnerability 5. A directory-traversal vulnerability Attackers may exploit these issues to retrieve arbitrary files from the affected application, compromise the application, obtain sensitive information, access or modify data, exploit latent vulnerabilities in the underlying database, and gain administrative access to the affected application. ---------------------------------------------------------------------- Secunia is hiring! http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Proofpoint Enterprise Protection Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44457 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44457/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44457 RELEASE DATE: 2011-05-04 DISCUSS ADVISORY: http://secunia.com/advisories/44457/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44457/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44457 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Proofpoint Enterprise Protection, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, bypass certain security restrictions, disclose sensitive information, and compromise a vulnerable system. 1) Input passed via the "displayprogress" parameter to enduser/process.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Note: This vulnerability only affects version 5.5.5. 3) Certain unspecified input is not properly verified before being used to access files. 4) Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 5) An error in the application allows access to certain administrative modules without checking for authentication. 6) Certain unspecified input is not properly sanitised before being used and can be exploited to inject and execute arbitrary commands. SOLUTION: Apply patches. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 1) Karan Khosla, Sense of Security Labs. 2 - 6) Scott Miles, Clear Skies Security via US-CERT. ORIGINAL ADVISORY: Proofpoint: https://support.proofpoint.com/article.cgi?article_id=338413 Sense of Security Labs: http://www.senseofsecurity.com.au/advisories/SOS-11-005 US-CERT VU#790980: http://www.kb.cert.org/vuls/id/790980 Clear Skies Security: http://www.clearskies.net/documents/css-advisory-css1105-proofpoint.php OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.78

sources: NVD: CVE-2011-1902 // CERT/CC: VU#790980 // JVNDB: JVNDB-2011-004591 // JVNDB: JVNDB-2011-001625 // BID: 47675 // BID: 78468 // VULHUB: VHN-49847 // PACKETSTORM: 101135

AFFECTED PRODUCTS

vendor:	proofpoint	model:	protection server	scope:	eq	version:	6.0.2	Trust: 2.7
vendor:	proofpoint	model:	protection server	scope:	eq	version:	5.5.5	Trust: 2.7
vendor:	proofpoint	model:	protection server	scope:	eq	version:	5.5.4	Trust: 2.7
vendor:	proofpoint	model:	protection server	scope:	eq	version:	5.5.3	Trust: 2.7
vendor:	proofpoint	model:	protection server	scope:	eq	version:	6.1.1	Trust: 2.7
vendor:	proofpoint	model:	protection server	scope:	eq	version:	6.2.0	Trust: 1.6
vendor:	proofpoint	model:	messaging security gateway	scope:	lte	version:	6.2.0.263\:6.2.0.237	Trust: 1.0
vendor:	proofpoint	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	proofpoint	model:	messaging security gateway	scope:	lte	version:	6.2.0.263:6.2.0.237	Trust: 0.8
vendor:	proofpoint	model:	protection server	scope:	eq	version:	and 6.2.0	Trust: 0.8
vendor:	proofpoint	model:	protection server	scope:	-	version:	-	Trust: 0.8
vendor:	proofpoint	model:	messaging security gateway	scope:	eq	version:	6.2.0.263\:6.2.0.237	Trust: 0.6
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	6.2.0	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	6.1.1	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	5.5.5	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	5.5.4	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	5.5.3	Trust: 0.3
vendor:	proofpoint	model:	protection server	scope:	eq	version:	6.3	Trust: 0.3
vendor:	proofpoint	model:	messaging security gateway 6.2.0.263%3a6.2.0.23	scope:	-	version:	-	Trust: 0.3

sources: CERT/CC: VU#790980 // BID: 47675 // BID: 78468 // JVNDB: JVNDB-2011-004591 // JVNDB: JVNDB-2011-001625 // CNNVD: CNNVD-201105-066 // NVD: CVE-2011-1902

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-1902
value:	MEDIUM
Trust: 1.0
CARNEGIE MELLON:	VU#790980
value:	22.50
Trust: 0.8
NVD:	CVE-2011-1902
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201105-066
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-49847
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2011-1902
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-49847
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#790980 // VULHUB: VHN-49847 // JVNDB: JVNDB-2011-004591 // CNNVD: CNNVD-201105-066 // NVD: CVE-2011-1902

PROBLEMTYPE DATA

problemtype:

CWE-22

Trust: 1.9

sources: VULHUB: VHN-49847 // JVNDB: JVNDB-2011-004591 // NVD: CVE-2011-1902

THREAT TYPE

network

Trust: 0.6

sources: BID: 47675 // BID: 78468

TYPE

Input Validation Error

Trust: 0.6

sources: BID: 47675 // BID: 78468

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-004591

PATCH

title:	Top Page	url:	http://www.proofpoint.com/	Trust: 0.8
title:	Top Page	url:	http://www.proofpoint.com	Trust: 0.8
title:	Call Tracking System - Login (Customer Support web site）	url:	https://support.proofpoint.com/article.cgi?article_id=338413	Trust: 0.8

sources: JVNDB: JVNDB-2011-004591 // JVNDB: JVNDB-2011-001625

EXTERNAL IDS

db:	CERT/CC	id:	VU#790980	Trust: 4.8
db:	NVD	id:	CVE-2011-1902	Trust: 2.8
db:	JVNDB	id:	JVNDB-2011-004591	Trust: 0.8
db:	JVNDB	id:	JVNDB-2011-001625	Trust: 0.8
db:	CNNVD	id:	CNNVD-201105-066	Trust: 0.7
db:	BID	id:	78468	Trust: 0.4
db:	BID	id:	47675	Trust: 0.3
db:	SECUNIA	id:	44457	Trust: 0.2
db:	VULHUB	id:	VHN-49847	Trust: 0.1
db:	PACKETSTORM	id:	101135	Trust: 0.1

sources: CERT/CC: VU#790980 // VULHUB: VHN-49847 // BID: 47675 // BID: 78468 // JVNDB: JVNDB-2011-004591 // JVNDB: JVNDB-2011-001625 // PACKETSTORM: 101135 // CNNVD: CNNVD-201105-066 // NVD: CVE-2011-1902

REFERENCES

url:	http://www.kb.cert.org/vuls/id/790980	Trust: 4.0
url:	http://www.clearskies.net/documents/css-advisory-css1105-proofpoint.php	Trust: 2.9
url:	https://support.proofpoint.com/article.cgi?article_id=338413	Trust: 2.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1902	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-1902	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu790980	Trust: 0.8
url:	http://www.proofpoint.com/products/index.php	Trust: 0.3
url:	http://secunia.com/advisories/44457/	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=44457	Trust: 0.1
url:	http://www.senseofsecurity.com.au/advisories/sos-11-005	Trust: 0.1
url:	http://secunia.com/products/corporate/evm/	Trust: 0.1
url:	http://secunia.com/company/jobs/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/44457/#comments	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

CREDITS

Scott Miles of Clear Skies Security.

Trust: 0.3

sources: BID: 47675

SOURCES

db:	CERT/CC	id:	VU#790980
db:	VULHUB	id:	VHN-49847
db:	BID	id:	47675
db:	BID	id:	78468
db:	JVNDB	id:	JVNDB-2011-004591
db:	JVNDB	id:	JVNDB-2011-001625
db:	PACKETSTORM	id:	101135
db:	CNNVD	id:	CNNVD-201105-066
db:	NVD	id:	CVE-2011-1902

LAST UPDATE DATE

2025-04-11T23:02:07.117000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#790980	date:	2011-05-02T00:00:00
db:	VULHUB	id:	VHN-49847	date:	2011-05-31T00:00:00
db:	BID	id:	47675	date:	2011-05-02T00:00:00
db:	BID	id:	78468	date:	2011-05-05T00:00:00
db:	JVNDB	id:	JVNDB-2011-004591	date:	2012-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2011-001625	date:	2011-05-25T00:00:00
db:	CNNVD	id:	CNNVD-201105-066	date:	2011-05-06T00:00:00
db:	NVD	id:	CVE-2011-1902	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#790980	date:	2011-05-02T00:00:00
db:	VULHUB	id:	VHN-49847	date:	2011-05-05T00:00:00
db:	BID	id:	47675	date:	2011-05-02T00:00:00
db:	BID	id:	78468	date:	2011-05-05T00:00:00
db:	JVNDB	id:	JVNDB-2011-004591	date:	2012-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2011-001625	date:	2011-05-25T00:00:00
db:	PACKETSTORM	id:	101135	date:	2011-05-05T06:57:39
db:	CNNVD	id:	CNNVD-201105-066	date:	2011-05-06T00:00:00
db:	NVD	id:	CVE-2011-1902	date:	2011-05-05T14:55:03.213