Advantech WebAccess < 7.0-2009.06.29 Multiple Vulnerabilities

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote host is affected by multiple vulnerabilities.

Description :

The version of Advantech WebAccess running on the remote host is prior
to version 7.0-2009.06.29. It is, therefore, affected by multiple
vulnerabilities :

- SQL injection vulnerabilities exist due to unspecified
input not being properly sanitized before processing SQL
queries. An unauthenticated, remote attacker can exploit
these to inject SQL queries against the database,
resulting in the disclosure or manipulation of arbitrary
data. (CVE-2011-4521, CVE-2012-0234, CVE-2012-0244)

- Unspecified cross-site scripting vulnerabilities exist
due to improper validation of input data submitted to
scripts bwerrdn.asp and bwview.asp. A remote attacker,
using a specially crafted URL, can exploit these to
execute arbitrary script code in the browser in the
context of the user's session. (CVE-2011-4522,
CVE-2011-4523)

- A buffer overflow condition exists due to a failure to
properly sanitize user-supplied input. A remote,
unauthenticated attacker, by using a very long string
passed to unspecified parameters, can exploit this to
execute arbitrary code. (CVE-2011-4524)

- A flaw exists that allows extracting arbitrary web page
content into a batch file, which can then be executed.
An unauthenticated, remote attacker can exploit this
to write files to the server, allowing the execution
of arbitrary code. (CVE-2011-4525)

- A buffer overflow condition exists due to a failure to
properly sanitize user-supplied input to unspecified
ActiveX parameters. An unauthenticated, remote attacker
can exploit this, using a crafted long string, to
execute arbitrary code. (CVE-2011-4526)

- A cross-site scripting vulnerability exists due to
improper validation of unspecified input before
returning it to the user. A remote attacker, using a
specially crafted URL, can exploit this to execute
arbitrary script code in the browser in the context of
the user's session. (CVE-2012-0233)

- An unspecified cross-site request forgery (XSRF)
vulnerability exists due to WebAccess not requiring
explicit confirmation from the user for sensitive
transactions. An attacker, by using a specially crafted
GET request embedded in an 'img' tag, can exploit this
vulnerability to execute commands in the context of the
session between an authenticated user and the
application. (CVE-2012-0235)

- An unspecified information disclosure vulnerability
exists that allows an unauthenticated, remote attacker
to obtain sensitive information by using a direct
request to a URL. (CVE-2012-0236)

- An flaw exists that allows an unauthenticated, remote
attacker to enable or disable the date and time syncing
operations by using a crafted URL. (CVE-2012-0237)

- A stack-based buffer overflow condition exists in
opcImg.asp due to a failure to properly sanitize
user-supplied input. An unauthenticated, remote attacker
can exploit this to execute arbitrary code.
(CVE-2012-0238)

- A flaw exits in the uaddUpAdmin.asp script due to an
authentication failure, which allows a remote attacker
to modify an administrative password using a change
password request. (CVE-2012-0239)

- A flaw exists in the authentication function in the
GbScriptAddUp.asp script, which allows a remote attacker
to execute arbitrary code. (CVE-2012-0240)

- A memory corruption issue exists in the WriteTextData()
and CloseFile() functions due to a failure to properly
sanitize user-supplied input. A remote attacker, by
using a crafted value in the 'fpt' parameter, can
exploit this to cause a denial of service or execute
arbitrary code. (CVE-2012-0241)

- A flaw in the bwocxrun.ocx ActiveX control exists due to
a failure by the OcxSpool() method to properly sanitize
user-supplied string format specifiers. A remote,
unauthenticated attacker, by using crafted specifiers,
can exploit this to execute arbitrary code.
(CVE-2012-0242)

- A buffer overflow condition exists in the bwocxrun.ocx
ActiveX control due to a failure to properly sanitize
user-supplied input. A remote attacker can exploit this
to write arbitrary files to any pathname, allowing the
execution of arbitrary code. (CVE-2012-0243)

- An unspecified SQL injection vulnerability exists due to
input not being properly sanitized before processing SQL
queries, which resulted from an incomplete fix for issue
CVE-2012-0234. An unauthenticated, remote attacker can
exploit this vulnerability to inject SQL queries against
the database, resulting in the disclosure or
manipulation of arbitrary data. (CVE-2012-1234)

See also :

http://www.nessus.org/u?07dd82c7
https://ics-cert.us-cert.gov/advisories/ICSA-12-047-01A

Solution :

Upgrade to Advantech WebAccess version 7.0-2009.06.29 or higher.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)