IBM Open Admin Tool XSS

2011-09-08 / 2011-09-09
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

??XSS in IBM Open Admin Tool (OAT_2.27_install_windows.exe)? Product version tested : OAT v2.27 Vendore has been informed : July 27, 2010 They fix the vulnerability on : March 2011 Fixed version: OAT v2.72 Credit : sumit kumar soni (ssummit (at) gmail (dot) com [email concealed]) Product Link: https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=swg -informixfpd&lang=en_US&S_PKG=dl&cp=UTF-8 Tested on windows XP Open Admin tool For IDS Cross Site Scripting Vulnerability OpenAdmin Tool is a PHP-based Web browser administration tool for managing one or more Informix Dynamic Servers. The OpenAdmin Tool for IDS provides the ability to monitor and administer multiple database IDS server instances from a single location. There is a XSS vulnerability exist in its index page for parameter named informixserver , host & port. POC: http://server:8080/openadmin/index.php?act=login&do=dologin&login_admin= Login&groups=1&grouppass=&informixserver= &host= &port= &username= &userpass= &idsprotocol=onsoctcp&conn_num Regards Sumit Kumar Soni ssummit (at) gmail (dot) com [email concealed] http://voidroot.blogspot.com/2011/08/xss-in-ibm-open-admin-tool.html

References:

http://xforce.iss.net/xforce/xfdb/69488
http://www.securityfocus.com/bid/49364
http://www.securityfocus.com/archive/1/archive/1/519468/100/0/threaded
http://voidroot.blogspot.com/2011/08/xss-in-ibm-open-admin-tool.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top