Security Advisory
---------------------------------------
Vulnerable Software:   phion airlock Web Application Firewall
Vulnerable Version:  4.1-10.41
Homepage:      http://www.phion.com/
Found by:      Michael Kirchner, Wolfgang Neudorfer,
Lukas Nothdurfter (Team h4ck!nb3rg)  
Impact:      Remote Denial of Service via Management
Interface (unauthenticated) and Command Execution


Product Description
---------------------------------------
phion's web application firewall (WAF) airlock provides a unique
combination of protective mechanisms for web applications. Whether you
want to observe PCI DSS, safeguard online banking or protect e-commerce
applications:  airlock ensures sustained and manageable web application
security.
[Source:
http://www.phion.com/INT/products/websecurity/Pages/default.aspx]


Vulnerability Description
---------------------------------------
The phion airlock Web Application Firewall operates as a reverse proxy
between the clients and the web server to be protected. All HTTP
requests are checked before being forwarded to the web server. The
system can be administered via a seperate management interface which is
normally not accessible for external users. By sending a specially
crafted HTTP GET request an attacker with access to the management
interface (but no authentication needed) is able to conduct a denial of
service attack. The vendor describes the vulnerability as follows:
"The airlock Configuration Center shows many system monitoring charts to
check the system status and history. These images are generated on the
fly by a CGI script, and the image size is part of the URL parameter.
Unreasonably large values for the width and height parameters will cause
excessive resource consumption. Depending on the actual load and the
memory available, the system will be out-of-service for some minutes or
crash completely, making a reboot necessary."
[Source: https://techzone.phion.com/dos-vulnerability-4.1-sysmon-images]
Further research showed that the vulnerability can also be used to
execute arbitrary system commands. This allows attackers to run
operating system commands under the user of the web server
(uid=12359(wwwca) gid=54329(wwwca)).


Proof of Conept
---------------------------------------
A denial of service or execution of arbitrary system commands can be
accomplished by a single HTTP request if an attacker can reach the
management interface IP address of the WAF. According exploits will not
be published.


Vulnerable Versions
---------------------------------------
The tested version was 4.1-10.41. Prior versions are also likely to be
vulnerable.


Patch
---------------------------------------
The vendor provides a hotfix as well as an updated version of the
product. 
The hotfix can be downloaded at:
https://techzone.phion.com/hotfix_HF4112


Contact Timeline
---------------------------------------
2009-04-27: Vendor informed
2009-04-28: Inital vendor reply
2009-04-29: Vulnerability confirmed and manual workaround available at
phion techzone
2009-05-12: Hotfix and updated version available
2009-07-01: Public release 


Further information
---------------------------------------
Information about the web application firewall project this advisory
originates from can be found at:
http://www.h4ck1nb3rg.at/wafs/