Appweb < 7.0.3 authCondition Authentication Bypass Vulnerability

Medium Nessus Plugin ID 118710

Synopsis

The remote web server may be affected by a authentication bypass vulnerability.

Description

According to its banner, the version of Appweb installed on the remote host is prior to 7.0.3. It is, therefore, have a logic flaw related to the authCondition function in http/httpLib.c. With a forged HTTP request, it is possible to bypass authentication for the form and digest login types.

Note that Nessus did not actually test for this issue, but instead has relied on the version in the server's banner.

Solution

Upgrade to Appweb version 7.0.3 or later.

Plugin Details

Severity: Medium

ID: 118710

File Name: appweb_server_7_0_3.nasl

Version: 1.1

Type: remote

Family: Web Servers

Published: 2018/11/02

Modified: 2018/11/02

Dependencies: 61395, 11936

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2018-8715

CVSS v2.0

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3.0

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:mbedthis_software:mbedthis_appweb_http_server

Required KB Items: www/appweb

Patch Publication Date: 2018/03/14

Vulnerability Publication Date: 2018/03/14

Reference Information

CVE: CVE-2018-8715