Multiple vulnerabilities in Highwall Enterprise and Highwall Endpoint management interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Multiple vulnerabilities in Highwall Enterprise and Highwall Endpoint management interface

Subject: Multiple vulnerabilities in Highwall Enterprise and Highwall Endpoint management interface
Date: Wed, 18 Oct 2006 17:47:45 +0400
From: suppressed

Multiple vulnerabilities in Highwall Enterprise and Highwall Endpoint4.0.2.11045 management interface



SUMMARY

Highwall Enterprise and Highwall Endpoint wireless IDS management interfacecontain multiple vulnerabilities which can lead to privilege escalation andcode execution.


DETAILS

Web interface of Highwall Enterprise and Highwall Endpoint don't properlyscreens characters in user supplied input. This can lead to MultipleCross-Site Scripting and SQL Injection conditions. Vulnerabilities can beexploited by malicious system operator to escalate privileges or run code onhis choice in context of Microsoft SQL Server back-end database. Also thesevulnerabilities possible can be exploited by external attacker by usingAccess Point with special created SSID to bypass security restrictions orescalate privileges.


DISCLOSURE TIMELINE

8 September 2006 - Initial vendor contact, no response received.
September 2006 - Initial vendor contact, no response received.

18 October 2006 - Public disclosure

Prev by Date: Call for Papers - First International Workshop on Secure Software Engineering (SecSE 2007)
Next by Date: Airmagnet management interfaces multiple vulnerabilities
Previous by thread: Call for Papers - First International Workshop on Secure Software Engineering (SecSE 2007)
Next by thread: Airmagnet management interfaces multiple vulnerabilities
Index(es):
- Date
- Thread

Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.