F5 BIG-IP Web Management Console CSRF
Product: F5 BIG-IP
http://www.f5.com/products/big-ip/
By design the F5 BIG-IP web management interface allows a logged-in user with Resource Manager or Administrator privileges to execute an arbitrary bigpipe shell command through the web "Console" feature. It is possible to craft URL links that would execute the command with a simple HTTP GET request. Cross-site attacks may leverage this functionality to reconfigure the BIG-IP appliance, including creating new administrators.
Acronis Group Server is a component of Acronis True Image Echo Server
(Workstation and Enterprise packages) which "allows the viewing and
managing of backup tasks for all systems in the network from the
Acronis Management Console".
#######################################################################
======
solution incorporating LTO Ultrium tape technology.
Credit: Martin Murfitt of Trustwave SpiderLabs
Finding: Authentication Bypass (Web Management Console)
CVE: CVE-2011-1372
The IBM TS3200/TS3200 Web User Interface is vulnerable to an authentication
bypass attack. By sending a series of requests to the authentication
function, it is possible to trigger a condition which causes the
Vulnerability:
The web management interface of Citrix NetScaler stores the user's credentials in an encrypted form in the cookie, namely values ns1 and ns2. In addition the cookie contains other encrypted information in values ns3, ns4, and ns5. Since the encryption is a simple XOR with a fixed key stream it is possible to determine parts of the key stream by XOR'ing a known plaintext with its corresponding ciphertext. This in turn allows the attacker to recover the plaintext form of the user's credentials by applying the key stream to cookie values ns1 and ns2. Furthermore, the cipher does not in any way pad the plaintext before it gets encrypted so the length of the ciphertext is equal to the length of the plaintext, which also provides a clue about the plaintext.
There are several approaches to obtain the ciphertext for some known plaintext:
* Log into the management console with the attacker's own credentials (if the attacker is a configured user, even with minimal privileges) and analyze his own cookie.
* Make an educated guess about the username contained in ns1. (As an example, the default root user on NetScaler is "nsroot".)
* Make an educated guess about the device hostname or IP address, which is contained in ns3. (As an example, the "main" IP address is stored unencrypted in cookie value "domain". This is a minor vulnerability all by itself.)
* Use cookie value ns4, which is an encrypted value of "NS".
* Use cookie value ns5, which is an encrypted value of either "true" or "false".
Hi list,
-- Product description (from vendor site):
The Sourcefire Defense Center(R) management console is the "nerve center" of the
Sourcefire 3D(R) System. It provides a powerful, easy-to-use interface for
categorizing events, generating recurring reports, scheduling automated IPS,
NGIPS, and NGFW detection content updates, configuring policies, and displaying
customizable dashboards to quickly communicate sensor feedback.
