SSD Advisory – Mako Web-server Tutorials Multiple Unauthenticated Vulnerabilities

Vulnerabilities Summary
The following advisory describe three (3) vulnerabilities found in Mako Server’s tutorial page.
The vulnerabilities found are:

  • Unauthenticated Arbitrary File Write vulnerability that leads to Remote Command Execution
  • Unauthenticated File Disclosure
  • Unauthenticated Server Side Request Forgery

As these tutorial may be used as the basis for production code, it is important for users to be aware of these issues.
“As a compact application and web server, the Mako Server helps developers rapidly design secure IoT and web applications. The Mako Server provides an application server environment from which developers can design and implement complete, custom solutions. The Mako Web Server is ideal for embedded Linux systems.”
An independent security researcher, John Page AKA hyp3rlinx, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
Vendor response
RealTimeLogic was informed of the vulnerability on Aug 13, but while acknowledging the receipt of the vulnerability information, refused to respond to the technical claims, to give a fix timeline or coordinate an advisory, saying:
“I just sent a formal notification for the commercial license requirement and also we need to put a maintenance contract in place.
Internally I need to set-up a cost allocation account for billing against these support inquiries.”
At this time it’s unclear whether these vulnerabilities are going to be fixed and further attempts to get a status clarification failed.