Vulnerability Tutorial - WhatsUp Gold vulnerabilities
  Updated: 08/27/12     (RED light)  
Impact
A remote attacker could execute arbitrary commands, inject arbitrary SQL code, disclose potentially sensitive information, or cause a denial of service.
Background
WhatsUp Gold is a network monitoring utility for Windows. It can be configured to run a web server. WhatsUp professional is the follow-on product to WhatsUp Gold.
The Problem

Ipswitch WhatsUp Gold SQL Injection Vulnerabilities

08/27/12
CVE NONE-0432
Ipswitch WhatsUp Gold before 14.4.2 is prone to multiple vulnerabilities, which can be exploited by malicious people to conduct SQL injection attacks. Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

"sGroupList" SQL Injection Vulnerability

08/02/12
CVE 2012-2601
CVE 2012-4344
Ipswitch WhatsUp Gold 15.0.2 and prior are prone to a vulnerability, which can be exploited by malicious people to conduct SQL injection attacks. Input passed via the "sGroupList" parameter is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

"ExportViewer.asp" Directory Traversal Vulnerability

04/03/12
CVE NONE-0362
Ipswitch WhatsUp Gold before 15.0.2 is prone to a vulnerability, which can be exploited by malicious users to disclose potentially sensitive information. Certain input is not properly verified in HTML/NmConsole/Reports/Full/Common/Export/ExportViewer.asp before being used to display files. This can be exploited to disclose arbitrary files via directory traversal sequences.

LDAP Authentication Security Bypass Security Vulnerability

09/06/11
CVE NONE-0270
Ipswitch WhatsUp Gold before 15.0.1 is prone to a vulnerability, which can be exploited by malicious people to bypass certain security restrictions. The security issue is caused due to an unspecified error when handling authentication via LDAP and can be exploited to login without a valid password.

SNMP Smart Scan Denial of Service Vulnerability

07/14/11
CVE NONE-0250
Ipswitch WhatsUp Gold is prone to a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an unspecified error when handling SNMP responses during the discovery process and can be exploited to crash the Discovery Service via a specially crafted SNMP response.

WhatsUp Professional Multiple Input Validation vulnerabilities

05/25/06
CVE 2006-2351
CVE 2006-2352
CVE 2006-2353
CVE 2006-2354
CVE 2006-2355
CVE 2006-2356
CVE 2006-2357
WhatsUp Professional is a server monitoring application implemented in ASP. The application is prone to multiple input validation vulnerabilities because it fails to properly sanitize user-supplied input. These include cross-site scripting, site redirection, username determination, path information, Node information, and source code information.

Source Code Disclosure and Cross-site Scripting

09/19/05
WhatsUp Gold 8.04 and earlier are affected by two vulnerabilities. The first is a cross-site scripting vulnerability in the map.asp script. Arbitrary script contained in the map parameter could run in an authenticated user's browser when the user clicks on a specially crafted link. The second is a source code disclosure vulnerability. An authenticated user could view the source code of ASP files by appending a period or the string ::$DATA to the URL request.

SQL Injection on Login Page

06/24/05
CVE 2005-1250
WhatsUp Gold runs an optional web interface on port 80. The main login page, located at /NmConsole/Login.asp, is affected by an SQL injection vulnerability in the user name and password fields. A remote attacker could execute arbitrary SQL commands, leading to administrative access to the WhatsUp Gold application. WhatsUp Gold Professional 2005 SP1 and earlier are affected by this vulnerability.

Notification Instance Name Buffer Overflow

09/13/04
WhatsUp Gold 8.03 Hotfix 2 fixed a buffer overflow in Notification instance names. This vulnerability could possibly allow remote code execution by sending a specially crafted request to the web interface. The same fix also fixes a denial of service problem in processing GET requests for prn.htm.

_maincfgret.cgi Buffer Overflow

08/31/04
CVE 2004-0798
The _maincfgret.cgi program on the WhatsUp Gold web server is affected by a buffer overflow condition. A remote attacker could cause arbitrary commands to run on the server by sending a request for this script with a long, specially crafted instancename parameter. WhatsUp Gold 8.03 and possibly earlier versions are affected by this vulnerability if the web service is enabled.

Resolution
For the WhatsUp Professional Multiple Input Validation vulnerabilities, restrict access to port 8022/tcp (or other access port) and disable the Enable web server on port [port] setting if enabled, and don't visit other web sites while logged in. Upgrade WhatsUp Gold to a version higher than 15.0.2 when available.
More Information
The Ipswitch WhatsUp Gold SQL Injection vulnerabilities were reported in Secunia Advisory SA50401.

The "sGroupList" SQL Injection vulnerability was reported in Secunia Advisory SA50002.

The "ExportViewer.asp" Directory Traversal vulnerability was reported in Secunia Advisory SA48590.

The LDAP Authentication Security Bypass Security vulnerability was reported in Secunia Advisory SA45830.

The SNMP Smart Scan Denial of Service vulnerability was reported in Secunia Advisory SA45142.

The WhatsUp Professional Multiple Input Validation vulnerabilities were reported in Secunia Advisory SA20075.

The cross-site scripting and source code disclosure vulnerabilities were reported in CIRT advisories 35 and 36.

The SQL injection vulnerability was reported by iDEFENSE.

The notification instance name vulnerability was reported by the vendor in the WhatsUp Gold 8.03 Hotfix 2 description.

The _maincfgret.cgi vulnerability was reported in iDEFENSE security advisory 08.25.04.