SEC Consult SA-20121115-0 :: Applicure dotDefender WAF format string vulnerability Nov 15 2012 03:14PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20121115-0 >
title: Applicure dotDefender WAF format string vulnerability
product: dotDefender for Linux/Apache
vulnerable version: <= 4.26
fixed version: 5.00
CVE number: -
impact: Medium (needs preconditions)
homepage: http://www.applicure.com/Products/dotdefender
found: 2012-10-13
by: Bernhard Mueller
SEC Consult Vulnerability Lab

Vendor/product description:
dotDefender is a web application security solution (a Web Application
Firewall, or WAF) that offers strong, proactive security for your websites and
web applications.

URL: http://www.applicure.com/Products/dotdefender

Vulnerability overview/description:
dotDefender displays an error page when blocking an attack. The error page is
generated from a template which can contain various template variables. These
variables are expanded into a buffer first, the result of which is then passed
to AP_PRINTF() without checking for format string identifiers. Any remaining
format strings are interpreted by AP_PRINTF(), allowing for a format string
injection attack.

This is immediately exploitable by an unauthenticated attacker if the <%IP%>
template tag is used in the error page (not the case in the default template).
In this case an attacker can inject format strings in the "Host"-header. Other
attack vectors may exist if the attacker manages to access the dotDefender web
interface which requires a password.

Successful exploitation allows an attacker to execute arbitrary code on the

Proof of concept:

No proof-of-concept exploit will be released.

Vulnerable / tested versions:

The vulnerability has been tested with dotDefender 4.26 for Linux/Apache.

dotDefender for Windows is not affected.

Vendor contact timeline:
2012-10-17: Contacted vendor
2012-11: Fixed version is released
2012-11-15: SEC Consult releases security advisory

Upgrade to at least version 5.00 of dotDefender for Linux:


Advisory URL:

The SEC Consult Group

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com

Office Singapore
4 Battery Road
#25-01 Bank of China Building
Singapore (049908)
Mail: office at sec-consult dot sg

Check out our blog at:


And this thing here:


EOF B. Mueller / November 2012

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus