KBA 135412 - Fixing SQL injection vulnerability, impact on SSL VPN

If you disable the User Portal, you do NOT need to re-send the EXE or anything. I typically have the User Portal enabled on WAN for initial client deployment so they can download it themselves, then I cut it off on the Device Access tab.

Any webpage with an input field like username/pass such as the User Portal or the Admin login page is exploitable using SQL injection. EDIT: exploitable *IF* input validation was not implemented, and fuzz techniques weren't implemented in Quality Assurance department

Hello apalm123,

it is more than obvious that the developers did nothing like that. It surprises me that this product received EAL4 + certification about two weeks ago.
Incredibly...

Regards

alda

Can you check on yours XGs if You can reach user portal even its not selected on WAN interface ?

Only what i got selected on WAN is SSLVPN BUT i still can access a user portal...

Can you check on yours XGs if You can reach user portal even its not selected on WAN interface ?

Only what i got selected on WAN is SSLVPN BUT i still can access a user portal...

Yes I can! Is it possible? Please look in the logs too, in some of our devices are deleted. Who did delete the logs, the hotfix or the hackers?

Hello Roman,

it's really crazy.

Unfortunately I have to confirm your finding, I have deactivated WebAdmin and UserPortal on the WAN zone and only SSL VPN is active but I can connect to UserPortal!
I have access to WebAdmin only through ACL rules from defined IP networks, but although I tried to access UserPortal from a mobile phone (and this network is definitely not allowed through ACL), access to UserPortal is possible but not to WebAdmin.

Probably better without comment, I don't think the developers did a good job!

Regards

alda

Well thats seems to be another potential vulnerability. Ofcourse WebAdmin access Should be turned off via WAN -> but userportal should be also restricted. I hope that sophos will fix it ;) If im good remember on v17.5 it was fixed but i cant remember directly ;)

I can confirm this also.  Only SSL VPN is enabled on WAN and User portal still accessible.

AdamBasalyga said:

I can confirm this also.  Only SSL VPN is enabled on WAN and User portal still accessible.

 

Not seeing this with ours.  You sure there's not an override ACL below the device access matrix?  We use that to enable admin access from our own management IPs.

This appears to be happening only if your VPN and User portal are both sharing 443.   If they are on different ports than it works as expected.  We usually use 443 for both since non-standard ports are often restricted depending on the remote users environment. 

Ah, that makes sense.  We keep them separate on ours.  Good to know.

Goot to know ;) ive changed right away^^

It's on the Admin settings tab of Administration.