phion airlock Web Application Firewall: Remote Denial of Service via Management Interface (unauthenticated) and Command Execution

Security Advisory
Vulnerable Software: 	phion airlock Web Application Firewall
Vulnerable Version:	4.1-10.41
Found by:			Michael Kirchner, Wolfgang Neudorfer,
Lukas Nothdurfter (Team h4ck!nb3rg) =20
Impact:			Remote Denial of Service via Management
Interface (unauthenticated) and Command Execution

Product Description
phions web application firewall (WAF) airlock provides a unique
combination of protective mechanisms for web applications. Whether you
want to observe PCI DSS, safeguard online banking or protect e-commerce
applications:  airlock ensures sustained and manageable web application

Vulnerability Description
The phion airlock Web Application Firewall operates as a reverse proxy
between the clients and the web server to be protected. All HTTP
requests are checked before being forwarded to the web server. The
system can be administered via a seperate management interface which is
normally not accessible for external users. By sending a specially
crafted HTTP GET request an attacker with access to the management
interface (but no authentication needed) is able to conduct a denial of
service attack. The vendor describes the vulnerability as follows:
"The airlock Configuration Center shows many system monitoring charts to
check the system status and history. These images are generated on the
fly by a CGI script, and the image size is part of the URL parameter.
Unreasonably large values for the width and height parameters will cause
excessive resource consumption. Depending on the actual load and the
memory available, the system will be out-of-service for some minutes or
crash completely, making a reboot necessary."
Further research showed that the vulnerability can also be used to
execute arbitrary system commands. This allows attackers to run
operating system commands under the user of the web server
(uid=3D12359(wwwca) gid=3D54329(wwwca)).

Proof of Conept
A denial of service or execution of arbitrary system commands can be
accomplished by a single HTTP request if an attacker can reach the
management interface IP address of the WAF. According exploits will not
be published.

Vulnerable Versions
The tested version was 4.1-10.41. Prior versions are also likely to be

The vendor provides a hotfix as well as an updated version of the
The hotfix can be downloaded at:

Contact Timeline
2009-04-27: Vendor informed
2009-04-28: Inital vendor reply
2009-04-29: Vulnerability confirmed and manual workaround available at
phion techzone
2009-05-12: Hotfix and updated version available
2009-07-01: Public release=20

Further information
Information about the web application firewall project this advisory
originates from can be found at: