Caveat Emptor, Caveat Venditor, Paros Pro Desktop Version 1.9.12 for Windows, WebAppSec, SCAP Tools

WebAppSec Product Review - Paros Pro

Vendor:MileScan
Application: Paros Pro Desktop Version 1.9.12
Price Paid: Under $1500
Date of Purchase: August 15, 2011
Date of Review: January 25, 2012
Coverage: Caveat Emptor, Caveat Venditor

Product description

“ParosPro is a web security tool that allows companies and IT Professionals to assess the security of their web applications. The ParosPro provides a feature rich environment that allows companies to perform assessments based on plug-ins designed to target various security vulnerabilities. Plug-ins can be updated via the update manager that is included with the ParosPro to ensure that your ParosPro is always up to date with the latest threats.”

A Buyers Perspective

Paros Pro - Desktop Version 1.9.12 was licensed in August 2011 after reading various reviews on SecTools and here. Doubting the results, we benchmarked the Tool based on over 50 CVE’s.  

Testbed -> W2k8R2/64bit VM loaded with Paros Pro Desktop 1.9.12 configured to point and shoot at a vulnerable versions of Plesk CPanel for Windows V10.4.x.

On August 25, 2011, 10 days after purchase, we assembled our standard “Lack of Coverage” (LoC) e-mail detailing points at which the tool failed to fingerprint documented Unforgivable Vulnerabilities, asking for a Vendor response.

On December 9, 2011, we again wrote to Milescan, failing to have received a response after more than 3 months, questioning if MileScan still existed.

On December 12, 2011, we received a response from Sally Cheung of Milescan, apologizing for the delay, writing that “we are rewriting the core part of our software, it may take longer than expected to address the findings you raised.”

On December 28, 2012, MileScan released a subsequent upgrade for Paros Pro Desktop Edition Version 1.9.5.

Summary: http://en.wikipedia.org/wiki/Caveat_emptor

CVE-2011-5018, Koala Framework, XSS, Resolved, Cross Site Scripting, CWE-79, CAPEC-86

fix XSS security issue: escape request_uri in 404 pages

commit 59f81ea6bd8ef96c04a706a3ca453cd656284faa1 parent e681f050ea

 nsams-vivid-planet authored November 21, 2011

Showing 1 changed file with 1 addition and 1 deletion.

M

Kwf/Exception/Abstract.php

2 ••

Kwf/Exception/Abstract.php

• View file @ 59f81ea

...	...	@@ -74,7 +74,7 @@ public function render($ignoreCli = false)
74	74	$view->exception = $this->getException();
75	75	$view->message = $this->getException()->getMessage();
76	76	$view->requestUri = isset($_SERVER['REQUEST_URI']) ?
77		-            $_SERVER['REQUEST_URI'] : '' ;
	77	+            htmlspecialchars($_SERVER['REQUEST_URI']) : '' ;
78	78	$view->debug = Kwf_Exception::isDebug();
79	79	$header = $this->getHeader();
80	80	$template = $this->getTemplate();

CVE-2011-4776, CVE-2011-4777, Parallels Plesk Panel v10.4.4_build20111103.18 os_Windows 2003/2008, XSS, Cross Site Scripting, CWE-79, CAPEC-86

CVE Assignments for Parallels Plesk Panel v10.4.4_build20111103.18 os_Windows 2003/2008

Commentary, Discussion and Analysis: Hoyt LLC Research sends thanks to Secunia Vulnerability Research for arriving at the same conclusions; most the XSS Bugs aren't exploitable due to the sML uniquifier negating most of the XSS issues. The interesting comments are the SCAP Tools that don't fingerprint these Bugs!

Parallels implemented an Authentication Mechanism as a Workaround in Version 10.2.0 instead of fixing the unsanitized output. Subsequent research developed a Proof of Concept that delivers XSS which is unpublished until a Patch or further Workaround is available.

CVE-2011-4776 is specific to Parallels CPanel on Port 8443.

CVE-2011-4777 is Specific to SiteBuilder on Port 8447.

Note that SiteBuilder has additional Exploits pending @ CVSS 8-10.

CVE-2011-5020, Request for Contact, Online TV Database, Bug Report, No Vendor Contact

Request for Contact: Online TV Database Developer

CVE-2011-5020 is reserved as the Id for a Bug in Online TV Database.

To the developer(s): Please establish contact.

Thank You

XSS.Cx