MVSA-10-003


Vendor:


Google

Service:
Google Message Security SaaS (powered by Postini)
        - Security Console (Admin Console)
        - Message Center II

Vulnerabilities:
Improper Error Handling

Risk:
Medium
Attack Vector:
From Remote
Authentication:
Reference:

Required
http://secureappdev.blogspot.com/2010/09/testing-google-message-security-saas.html






Description

Multiple improper error handling vulnerabilities were identified as affecting Security Console/ Admin Console (build 6_24) and Message Centre II (build 6_24) services. When exploited, such vulnerabilities could lead to disclosing implementation details, such as resource's location on the server's file system, products and API versions, internal code, etc.

An attacker could gather such information and use it for devising further exploits (eg. SQL Injection - see
MVSA-10-001 advisory).

By providing malformed values for various parameters, Security Console/Admin Console and Message Centre II services
return detailed errors exposing implementation details.

Security Console (Admin Console)

  • Manipulation of beg_date and end_date parameters from /exec/adminRep resource allows disclosing the component, location on the server file system, build version, as well as the employed technology (programming language, version).

Message Centre II

  • Manipulation of sort_direction parameter from /junk_quarantine/process and /trash/process resources allows identifying the employed database engine, as well as disclosure of SQL source code. 

Affected Versions

Security Console service
of Google Message Security SaaS build 6_24 (January 2010).
Message Center II service of Google Message Security SaaS build 6_24 (January 2010).


Mitigation

    
Google fixed the issues in Security Console build 6_25 (February 2010) and Message Center II build 6_25 (February 2010).
 
Disclosure Timeline

2010, January 24: Vulnerabilities discovered and documented
2010, January 24: Notification sent to Google
2010, January 24: Google acknowledged the vulnerabilities
2010, January 29: Additional vulnerability discovered and documented
2010, January 30: Notification sent to Google
2010, February 3: Google acknowledged the vulnerability
2010, February 22: Fixes deployed in production (build 6_25)

2010, September 15: MVSA-10-003 security advisory published.



MVSA-10-001

Dr. Marian Ventuneac