Executive Summary
Summary | |
---|---|
Title | Proofpoint Protection Server contains multiple vulnerabilities |
Informations | |||
---|---|---|---|
Name | VU#790980 | First vendor Publication | 2011-05-02 |
Vendor | VU-CERT | Last vendor Modification | 2011-05-02 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 7.5 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#790980Proofpoint Protection Server contains multiple vulnerabilitiesOverviewProofpoint Protection Server contains multiple vulnerabilities including authentication bypass, insufficient authorization checks, command injection, SQL injection, and directory traversal.I. DescriptionClear Skies Security's advisory states:"Enduser Authentication Bypass The following patches should be applied to the relevant versions. Restrict Access Appropriate firewall rules should be implemented to restrict access to only legitimate users of the system. Vendor Information
Referenceshttp://www.clearskies.net/documents/css-advisory-css1105-proofpoint.php Thanks to Scott Miles of Clear Skies Security for reporting these vulnerabilities. This document was written by Jared Allar.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/790980 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
20 % | CWE-352 | Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25) |
20 % | CWE-287 | Improper Authentication |
20 % | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') (CWE/SANS Top 25) |
20 % | CWE-78 | Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25) |
20 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
72170 | Proofpoint Protection Server Unspecified Arbitrary Command Injection Proofpoint Protection Server fails to sanitize certain unspecified input before use before use, which allows for the injection and execution of arbitrary commands. No further details have been provided. |
72169 | Proofpoint Protection Server Unspecified Admin Module Authentication Bypass Proofpoint Protection Server contains an unspecified flaw that may allow a remote attacker to gain unauthorized access to some administrative modules. |
72168 | Proofpoint Protection Server Unspecified SQL Injection Proofpoint Protection Server contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to an unspecified script not properly sanitizing user-supplied input. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data. |
72167 | Proofpoint Protection Server Unspecified Traversal Arbitrary File Access Proofpoint Protection Server contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to an unspecified script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via unspecified parameter. This directory traversal attack would allow the attacker to access arbitrary files. |
72166 | Proofpoint Protection Server User Mail Filter Interface Authentication Bypass Proofpoint Protection Server contains a flaw related to the web interface failing to properly verify credentials before granting access to the mail filter interface, allowing a remote attacker to gain unauthorized access to a user's mail filter interface. |