Public Vulnerability Reports

MapInfo Discovery Multiple Remote Vulnerabilities

04.15.03

BACKGROUND

MapInfo Discovery is an enterprise browser-driven map catalog and map
viewer application. It functions as an extension to MapInfo
Professional®.

DESCRIPTION

Multiple vulnerabilities have been found in MapInfo Discovery which
allow remote attackers to gain administrative access to MapInfo
Discovery, obtain database credentials, and execute arbitrary scripting
code.

***** ISSUE 1: Information Disclosure *****

Insecure storage of log files can lead to confidential information being
disclosed.

http://<hostname>/midiscovery/ErrLog/mi3errors.log

***** ISSUE 2: Cross-site Scripting *****

Failure to filter scripting characters in the mapID value passed to
Mapfram.asp can lead to execution of arbitrary scripting code.

MapFrame.asp?mapID=5&mapname=<script>

***** ISSUE 3: Cleartext Passwords *****

MapInfo Discovery passes login credentials and SQL database credentials
to forms in plaintext. Remote attackers can use a network sniffer to
recover credentials to both MapInfo Discovery and the SQL database
associated with it.

http://<hostname>/midiscovery/asplib/SignIn.asp passes login credentials
in plaintext.

Database Credentials
<INPUT TYPE="text" size="30" maxlength="50" NAME="DatabaseName" Value="MIDiscovery" >
<INPUT TYPE="text" size="30" maxlength="50" NAME="DatabaseServerName" Value="10.0.0.2" >
<INPUT TYPE="text" size="30" maxlength="70" NAME="DatabaseUserName" Value="midiscovery" >
<INPUT TYPE="password" size="21" maxlength="20" NAME="DatabaseUserPassword1" Value="lirumisu69" >
<INPUT TYPE="password" size="21" maxlength="20" NAME="DatabaseUserPassword2" Value="lirumisu69"  >

***** ISSUE 4: Administrative Login Bypass *****

MapInfo Discovery does not store session information securely.
Authentication is simply tracked by checking the value of a variable
passed in the URL. Attackers can bypass this check by changing the value
and gain access to administrative pages.

Only the value of 'ps' is checked to authenticate administrative users.
http://<hostname>/midiscovery/asplib/MapPassword.asp?id=140&ps=0&Wrong=1

ANALYSIS

Any remote attacker with access to a server running MapInfo Discovery
can exploit the above-described vulnerabilities. Successful exploitation
could lead to administrative access and compromise of the SQL database.

DETECTION

MapInfo Discovery 1.0 and 1.1 for Windows are known to be vulnerable.

CVE INFORMATION

A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.

DISCLOSURE TIMELINE

04/01/2003    Vulnerability acquired by iDEFENSE

CREDIT

The discoverer wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

LEGAL NOTICES

Copyright © 2004 Verisign, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.