Details of VAR-201105-0116

ID

VAR-201105-0116

CVE

CVE-2011-1905

TITLE

Proofpoint Protection Server contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#790980

DESCRIPTION

Multiple cross-site request forgery (CSRF) vulnerabilities in unspecified administrative modules in Proofpoint Messaging Security Gateway 6.2.0.263:6.2.0.237 and earlier in Proofpoint Protection Server 5.5.3, 5.5.4, 5.5.5, 6.0.2, 6.1.1, and 6.2.0 allow remote attackers to hijack the authentication of administrators via unknown vectors. Proofpoint Protection Server Has multiple vulnerabilities. Proofpoint Protection Server Includes authentication bypass, command injection, SQL Multiple vulnerabilities exist, including injection and directory traversal. Clear Skies Security's advisory of TECHNICAL DETAILS Describes each vulnerability as follows: "Enduser Authentication Bypass User-level access to the Proofpoint mail filter web interface can be obtained as any available user without providing the user’s login credentials. Path Traversal Allows Access to System Files Arbitrary files on the Proofpoint appliance can be obtained by manipulating a flaw in the web interface. Proofpoint SQL Injection A publicly accessible function in the Proofpoint interface is vulnerable to SQL Injection. Proofpoint Command Injection A function in the Proofpoint web interface can be manipulated into executing any command on the server. Proofpoint Forced Browsing / Insufficient Page Authorization Some administrative modules are accessible without authenticating with the application."A remote attacker could execute arbitrary commands or download arbitrary files. An authentication-bypass vulnerability 2. A command-injection vulnerability 3. An SQL-injection vulnerability 4. A security-bypass vulnerability 5. A directory-traversal vulnerability Attackers may exploit these issues to retrieve arbitrary files from the affected application, compromise the application, obtain sensitive information, access or modify data, exploit latent vulnerabilities in the underlying database, and gain administrative access to the affected application. A remote attacker hijacks an administrator's authentication request with the help of an unknown vector. ---------------------------------------------------------------------- Secunia is hiring! http://secunia.com/company/jobs/ ---------------------------------------------------------------------- TITLE: Proofpoint Enterprise Protection Multiple Vulnerabilities SECUNIA ADVISORY ID: SA44457 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/44457/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=44457 RELEASE DATE: 2011-05-04 DISCUSS ADVISORY: http://secunia.com/advisories/44457/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/44457/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=44457 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: Multiple vulnerabilities have been reported in Proofpoint Enterprise Protection, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, bypass certain security restrictions, disclose sensitive information, and compromise a vulnerable system. 1) Input passed via the "displayprogress" parameter to enduser/process.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Note: This vulnerability only affects version 5.5.5. 3) Certain unspecified input is not properly verified before being used to access files. 4) Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 5) An error in the application allows access to certain administrative modules without checking for authentication. 6) Certain unspecified input is not properly sanitised before being used and can be exploited to inject and execute arbitrary commands. SOLUTION: Apply patches. Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ PROVIDED AND/OR DISCOVERED BY: 1) Karan Khosla, Sense of Security Labs. 2 - 6) Scott Miles, Clear Skies Security via US-CERT. ORIGINAL ADVISORY: Proofpoint: https://support.proofpoint.com/article.cgi?article_id=338413 Sense of Security Labs: http://www.senseofsecurity.com.au/advisories/SOS-11-005 US-CERT VU#790980: http://www.kb.cert.org/vuls/id/790980 Clear Skies Security: http://www.clearskies.net/documents/css-advisory-css1105-proofpoint.php OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ EXPLOIT: Further details available in Customer Area: http://secunia.com/products/corporate/EVM/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 3.51

sources: NVD: CVE-2011-1905 // CERT/CC: VU#790980 // JVNDB: JVNDB-2011-004594 // JVNDB: JVNDB-2011-001625 // BID: 47675 // VULHUB: VHN-49850 // PACKETSTORM: 101135

AFFECTED PRODUCTS

vendor:	proofpoint	model:	protection server	scope:	eq	version:	5.5.3	Trust: 2.4
vendor:	proofpoint	model:	protection server	scope:	eq	version:	5.5.4	Trust: 2.4
vendor:	proofpoint	model:	protection server	scope:	eq	version:	5.5.5	Trust: 2.4
vendor:	proofpoint	model:	protection server	scope:	eq	version:	6.0.2	Trust: 2.4
vendor:	proofpoint	model:	protection server	scope:	eq	version:	6.1.1	Trust: 2.4
vendor:	proofpoint	model:	protection server	scope:	eq	version:	6.2.0	Trust: 1.6
vendor:	proofpoint	model:	messaging security gateway	scope:	lte	version:	6.2.0.263\:6.2.0.237	Trust: 1.0
vendor:	proofpoint	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	proofpoint	model:	messaging security gateway	scope:	lte	version:	6.2.0.263:6.2.0.237	Trust: 0.8
vendor:	proofpoint	model:	protection server	scope:	eq	version:	and 6.2.0	Trust: 0.8
vendor:	proofpoint	model:	protection server	scope:	-	version:	-	Trust: 0.8
vendor:	proofpoint	model:	messaging security gateway	scope:	eq	version:	6.2.0.263\:6.2.0.237	Trust: 0.6
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	6.2.0	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	6.1.1	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	6.0.2	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	5.5.5	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	5.5.4	Trust: 0.3
vendor:	proofpoint	model:	inc proofpoint protection server	scope:	eq	version:	5.5.3	Trust: 0.3

sources: CERT/CC: VU#790980 // BID: 47675 // JVNDB: JVNDB-2011-004594 // JVNDB: JVNDB-2011-001625 // CNNVD: CNNVD-201105-069 // NVD: CVE-2011-1905

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2011-1905
value:	MEDIUM
Trust: 1.0
CARNEGIE MELLON:	VU#790980
value:	22.50
Trust: 0.8
NVD:	CVE-2011-1905
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201105-069
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-49850
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2011-1905
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-49850
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#790980 // VULHUB: VHN-49850 // JVNDB: JVNDB-2011-004594 // CNNVD: CNNVD-201105-069 // NVD: CVE-2011-1905

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-49850 // JVNDB: JVNDB-2011-004594 // NVD: CVE-2011-1905

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201105-069

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201105-069

CONFIGURATIONS

sources: JVNDB: JVNDB-2011-004594

PATCH

title:	Top Page	url:	http://www.proofpoint.com/	Trust: 0.8
title:	Top Page	url:	http://www.proofpoint.com	Trust: 0.8
title:	Call Tracking System - Login (Customer Support web site）	url:	https://support.proofpoint.com/article.cgi?article_id=338413	Trust: 0.8

sources: JVNDB: JVNDB-2011-004594 // JVNDB: JVNDB-2011-001625

EXTERNAL IDS

db:	CERT/CC	id:	VU#790980	Trust: 4.5
db:	NVD	id:	CVE-2011-1905	Trust: 2.5
db:	JVNDB	id:	JVNDB-2011-004594	Trust: 0.8
db:	JVNDB	id:	JVNDB-2011-001625	Trust: 0.8
db:	CNNVD	id:	CNNVD-201105-069	Trust: 0.7
db:	BID	id:	47675	Trust: 0.3
db:	SECUNIA	id:	44457	Trust: 0.2
db:	VULHUB	id:	VHN-49850	Trust: 0.1
db:	PACKETSTORM	id:	101135	Trust: 0.1

sources: CERT/CC: VU#790980 // VULHUB: VHN-49850 // BID: 47675 // JVNDB: JVNDB-2011-004594 // JVNDB: JVNDB-2011-001625 // PACKETSTORM: 101135 // CNNVD: CNNVD-201105-069 // NVD: CVE-2011-1905

REFERENCES

url:	http://www.kb.cert.org/vuls/id/790980	Trust: 3.7
url:	http://www.clearskies.net/documents/css-advisory-css1105-proofpoint.php	Trust: 2.6
url:	https://support.proofpoint.com/article.cgi?article_id=338413	Trust: 2.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-1905	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-1905	Trust: 0.8
url:	http://jvn.jp/cert/jvnvu790980	Trust: 0.8
url:	http://www.proofpoint.com/products/index.php	Trust: 0.3
url:	http://secunia.com/advisories/44457/	Trust: 0.1
url:	https://ca.secunia.com/?page=viewadvisory&vuln_id=44457	Trust: 0.1
url:	http://www.senseofsecurity.com.au/advisories/sos-11-005	Trust: 0.1
url:	http://secunia.com/products/corporate/evm/	Trust: 0.1
url:	http://secunia.com/company/jobs/	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/	Trust: 0.1
url:	http://secunia.com/advisories/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/advisories/44457/#comments	Trust: 0.1
url:	http://secunia.com/vulnerability_scanning/personal/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/advisories/about_secunia_advisories/	Trust: 0.1

CREDITS

Scott Miles of Clear Skies Security.

Trust: 0.3

sources: BID: 47675

SOURCES

db:	CERT/CC	id:	VU#790980
db:	VULHUB	id:	VHN-49850
db:	BID	id:	47675
db:	JVNDB	id:	JVNDB-2011-004594
db:	JVNDB	id:	JVNDB-2011-001625
db:	PACKETSTORM	id:	101135
db:	CNNVD	id:	CNNVD-201105-069
db:	NVD	id:	CVE-2011-1905

LAST UPDATE DATE

2025-04-11T23:02:07.264000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#790980	date:	2011-05-02T00:00:00
db:	VULHUB	id:	VHN-49850	date:	2011-05-31T00:00:00
db:	BID	id:	47675	date:	2011-05-02T00:00:00
db:	JVNDB	id:	JVNDB-2011-004594	date:	2012-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2011-001625	date:	2011-05-25T00:00:00
db:	CNNVD	id:	CNNVD-201105-069	date:	2011-05-06T00:00:00
db:	NVD	id:	CVE-2011-1905	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#790980	date:	2011-05-02T00:00:00
db:	VULHUB	id:	VHN-49850	date:	2011-05-05T00:00:00
db:	BID	id:	47675	date:	2011-05-02T00:00:00
db:	JVNDB	id:	JVNDB-2011-004594	date:	2012-03-27T00:00:00
db:	JVNDB	id:	JVNDB-2011-001625	date:	2011-05-25T00:00:00
db:	PACKETSTORM	id:	101135	date:	2011-05-05T06:57:39
db:	CNNVD	id:	CNNVD-201105-069	date:	2011-05-06T00:00:00
db:	NVD	id:	CVE-2011-1905	date:	2011-05-05T14:55:03.340