lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 10 Nov 2011 18:07:53 -0600
From: Jose Carlos de Arriba <jcarriba@...egroundsecurity.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
  "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [FOREGROUND SECURITY 2011-004] Infoblox NetMRI 6.2.1 Multiple
 Cross-Site Scripting (XSS) vulnerabilities

============================================================
FOREGROUND SECURITY, SECURITY ADVISORY 2011-004
- Original release date: November 10, 2011
- Discovered by: Jose Carlos de Arriba - Senior Security Analyst at Foreground Security
- Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com)
- Severity: 4.3/10 (Base CVSS Score)
============================================================

I. VULNERABILITY
-------------------------
Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 Multiple Cross Site Scripting - XSS (prior versions have not been checked but could be vulnerable too).

II. BACKGROUND
-------------------------
Infoblox NetMRI is a network automation solution for configuration, optimization and compliance enforcement. With hundreds of built-in rules and industry best practices, it automates network change, intelligently manages device configurations and reduces the risk of human error. 

III. DESCRIPTION
-------------------------
Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 presents multiple Cross-Site Scripting vulnerabilities on its "eulaAccepted" and "mode" parameters in the admin login page, due to an insufficient sanitization on user supplied data and encoding output.
A malicious user could perform session hijacking or phishing attacks.

IV. PROOF OF CONCEPT
-------------------------
POST /netmri/config/userAdmin/login.tdf HTTP/1.1
Content-Length: 691
Cookie: XXXX
Host: netmrihost:443
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)

formStack=netmri/config/userAdmin/login&eulaAccepted=<script>alert(document.cookie)</script>&mode=<script>alert(document.cookie)</script>&skipjackPassword=ForegroundSecurity&skipjackUsername=ForegroundSecurity&weakPassword=false

V. BUSINESS IMPACT
-------------------------
An attacker could perform session hijacking or phishing attacks.

VI. SYSTEMS AFFECTED
-------------------------
Infoblox NetMRI 6.2.1 (latest), 6.1.2 and 6.0.2 branches (prior versions have not been checked but could be vulnerable too).

VII. SOLUTION
-------------------------
Vulnerability fixed on 6.2.2 version - available as of 10 Nov 2011

Also the following security patches are available:

- v6.2.1-NETMRI-8831
- v6.1.2-NETMRI-8831
- v6.0.2-NETMRI-8831


VIII. REFERENCES
-------------------------
http://www.infoblox.com/en/products/netmri.html
http://www.foregroundsecurity.com/
http://www.painsec.com

IX. CREDITS
-------------------------
This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com).

X. REVISION HISTORY
-------------------------
- November 10, 2011: Initial release.

XI. DISCLOSURE TIMELINE
-------------------------
August 28, 2011: Vulnerability discovered by Jose Carlos de Arriba.
August 28, 2011: Vendor contacted by email.
August 29: Vendor response asking for details.
September 21, 2011: Security advisory sent to vendor.
November 10, 2011: Security Fix released by vendor.
November 10, 2011: Security advisory released.


XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"with no warranties or guarantees of fitness of use or otherwise.

Jose Carlos de Arriba, CISSP
Senior Security Analyst
Foreground Security
www.foregroundsecurity.com
jcarriba (at) foregroundsecurity (dot) com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ