lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 28 May 2009 10:59:51 +0700
From: Bkis <svrt@...v.com.vn>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [Bkis-09-2009] XSS vulnerability in 'Monitor_Bandwidth' - PRTG Traffic
 Grapher

XSS vulnerability in 'Monitor_Bandwidth' - PRTG Traffic Grapher 
<http://blog.bkis.com/?p=704>

1. General information

PRTG Traffic Grapher is a network monitoring solution, which helps 
manage and classify bandwidth usage of a network by providing accurate 
results about network traffic and usage trends in graphs and tables. The 
software also supports SNMP (Simple Network Management Protocol). PRTG 
Traffic Grapher is available at http://www.paessler.com.

In April 2009, Bkis discovered a vulnerability in PRTG Traffic Grapher. 
A hacker might exploit this hole to insert malicious codes into links to 
be executed in the user’ browsers, resulting in the loss of cookies, 
session, etc.

Bkis has sent the warning to PRTG Traffic Grapher developer and the 
vulnerability has now been fixed.

Details : http://blog.bkis.com/?p=704
Bkis Advisory : Bkis-09-2009.
Initial vendor notification : 11/05/2009
Release Date : 28/05/2009
Update Date : 28/05/2009
Discovered by : Truong Truong Quan, Bkis.
Attack Type : XSS.
Security Rating : High.
Impact : Code Execution.
Affected Software : PRTG Traffic Grapher V6.2.2.977 and earlier versions.

2. Technical details

The identified XSS vulnerability resides in the Monitor_Bandwidth 
function of the software. Specifically, the software fails to adequately 
validate the input parameters.

To exploit the hole, hackers will trick users into accessing the links 
containing malicious scripts. If users have already logged in PRTG 
Traffic Grapher as administrators, the hackers will be able to gain the 
control over the work sessions and then the complete control over PRTG 
Traffice Grapher.

3. Solution
Bkis recommends that organizations, businesses using PRTG Traffic 
Grapher immediately get the latest version of the software at 
http://www.paessler.com/prtg6/download

Bkis


Powered by blists - more mailing lists