Westpoint Security Advisory

Title: 		Multiple Vulnerabilities in SuperScout Web Reports Server		
Risk Rating:	High	
Software: 	SurfControl SuperScout WebFilter
Platforms:	Win32 (WinNT/ Win2k)			
Vendor URL: 	www.surfcontrol.com	
Author:		Matt Moore <matt@westpoint.ltd.uk>	
Date:	        1st October 2002		
Advisory ID#:	wp-02-0005
CVE#:           CAN-2002-0705 - username/passwords accessible
                CAN-2002-0706 - weak encryption for passwords
                CAN-2002-0707 - large GET requests
                CAN-2002-0708 - Triple dot directory traversal
                CAN-2002-0709 - SQL injection


Surfcontrol's SuperScout Web Filter for Windows allows companies to monitor
and regulate their employees use of the internet. It offers comprehensive
reporting capabilities, and provides a 'web' interface for report retrieval.

Multiple vulnerabilities in the Web Reports Server could allow remote attackers
to compromise the host on which SuperScout is installed and also modify or remove
information from the database that it uses.


Usernames and Passwords Retrievable.
The file located at:


contains the usernames and passwords for each user of the reports server.
The usernames are in plain text, whilst the passwords are encrypted.

Weak Encryption
The encryption is implemented via a simple JavaScript, located at:


The EncryptString function takes two parameters 'text string' and 'key'.

Unfortunately, the key is hard-coded into another javaScript function and
hence it is trivial to decrypt the passwords. (The key is 'test').

The default administrative password, '3&8>>' decrypts to 'admin'.

As a result of this, an attacker can access any reports available
on the server.

DoS via Large GET request
Repeated large GET requests cause the reports service to consume 100% CPU,
at which point it no longer services requests. The server does appear to
recover eventually. However, this was not tested extensively.

Triple Dot Directory Traversal
An attacker can retrieve any file on the server via a simple directory
traversal attack, e.g.


SQL Injection Vulnerability
The various reports available are implemented as .dll's. Several of these perform
no input validation, and hence it is possible that an attacker could execute
arbitrary SQL queries against the database:

http://reports-server:8888/SimpleBar.dll/RunReport?...<various parameters>

The banner returned by the server is 'MS-MFC-HttpSvr/1.0'. A search for this
returned the following link:


The reports server appears to be based on a sample application from Microsoft.
Other servers based on this may be vulnerable to the directory traversal
and DoS attacks.

Vendor Response:
The vendor, SurfControl was initially contacted on 18/07/02.

The vendor stated that they were looking at ways to deliver reports
in different formats, and that these would encompass tighter security.
They had no definite timescales for this, but suggested the following
workaround (below).

Patch Information:

No patch available. Vendor supplied workaround:

Disable the reports server and consider using a terminal session to
the server to access the reports.

This advisory is available online at:


Designed & Built by e3creative