Whitehat.org.uk Advisory (1) Mercury SiteScope 8.2 (8.1.2.0) Cross Site Scripting (XSS) Vulnerability Vulnerability Type: Active code injection (XSS) Problem Discovered: 14 September 2006 Vendor Contacted: 14 September 2006 Advisory Published: 29 September 2006 Abstract: Mercury SiteScope is an agentless system monitoring solution designed to ensure the availability and performance of distributed IT infrastructures available on the Microsoft Windows Server platform as well as others. Description: User supplied HTML code is executed by the sitescope. Technical Details: Mercury sitescope 8.2 does not correctly validate user submitted input, making it possible to execute user submitted code by the sitescope web engine. 1) With the exception of "create new group name", any field create name field was susceptible to exploitation. 2) Any "description" field was susceptible to exploitation. Additional Issues: Attempting to inject HTML code in the "new monitor description" field resulted in a loss of connectivity to the classic interface. Workaround: None at present - This may be considered a low risk issue as the user will need to be authenticated in order inject the maliciuos code, however, this attack vector could leveraged to steal session information. The vendor has been notified, however, has been non-responsive. Tested Versions: Mercury Sitescope 8.2 on Windows 2003 server - avaliable from http://www.mercury.com Credits: Ozkan Aziz Greetings: Gyan (dude), Varun :) , Gerald (Wheeey), Chitt (eCrimes) Disclaimer: This advisory intended to be informational. No responsibility is taken for its misuse.