Overview
» IDS/IPS Signatures
Security Sites
Products
White Papers
Data Sheets
Case Studies
Support Login
Locate a Partner
iPolicy Networks Security Advisory
 

iPostMX 2005 Multiple Vulnerabilities
Date Discovered: 06/19/2006
Severity: High
Applications Affected iPostMX 2005 2.0 and prior
Synopsis
Multiple vulnerabilities are discovered in iPostMX 2005 application. User-supplied input is not sanitized properly causing input validation error. This helps an attacker to compromise the application and provide unauthorized access.
Recommended Actions
1. Update fixed version of the applications as released by a vendor at
 http://www.colebarksdale.com/downloads/
Threat Analysis
iPostMX 2005 is developed using ColdFusion. It provides full control on the forum with multiple styles and themes for the customization. Vulnerabilities present in this application are:

Cross-Site Scripting Attack:
Inputs passed to the "RETURNURL" parameter in "userlogin.cfm" and "account.cfm" are not sanitized properly before being returned to the user. This leads the attacker to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

SQL Injection Attack:
Inputs passed to the "forum" parameter in "messagepost.cfm" and to the "topic" parameter in "topics.cfm" are sanitized properly before being used in a SQL query. This helps the attacker to inject manipulated SQL commands and queries.

Both flaws help the attacker steal cookie-based authentication credentials and launch other attacks.
References

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-3096
http://secunia.com/advisories/20697
http://www.frsirt.com/english/advisories/2006/2382
http://pridels.blogspot.com/2006/06/ipostmx-2005-vuln.html

Write-up by: Anshul Gupta
Security Sites
 
“iPolicy is one of the most visionary firewall vendors in the firewall Magic Quadrant. Its architecture of a central session processing engine and multiple content blades that are able to block based on signatures, rules and so on is the closest to the network security ideal.”
 
Greg Young, John Pescatore
Magic Quadrant for Network Firewalls, 2H04, Gartner
 

 
Home | About Us | Products | Technology | Solutions | Support | Partners | News & Events | Resources | Contact Us
Copyright ©2008 iPolicy Networks - Security Products Division of Tech Mahindra Limited | Privacy Policy | Site Map