53 lines
No EOL
1.4 KiB
Text
53 lines
No EOL
1.4 KiB
Text
Dr. Web Control Center Admin UI Remote Script Code Injection
|
|
=============================================================
|
|
|
|
Affected Products/Versions
|
|
--------------------------
|
|
|
|
Product Name: Dr. Web Enterprise Server
|
|
Version Number: 6.00.3.201111300
|
|
|
|
|
|
Product/Company Information
|
|
---------------------------
|
|
|
|
>From Dr. Web's website:
|
|
|
|
"Dr.Web Enterprise Security Suite is a set of Dr.Web software products incorporating anti-viruses
|
|
for protection of all hosts in a corporate network and a single Control Center for managing most of the products."
|
|
|
|
|
|
Dr. Web's Website can be found at http://www.drweb.com
|
|
|
|
|
|
Vulnerability Description
|
|
-------------------------
|
|
|
|
Dr. Web Enterprise Security Suite is managed via a web based interface called Control Center.
|
|
|
|
If an attacker suplies java script code instead of a username on the login page, this script code will be automatically executed
|
|
every time an administrative user is viewing the audit log.
|
|
|
|
This attack can be used to steal authentication cookies or to drive further attacks.
|
|
|
|
|
|
|
|
Patch Information
|
|
-----------------
|
|
|
|
Patch is available from vendor.
|
|
|
|
|
|
Advisory Information
|
|
---------------------
|
|
|
|
This: http://www.oliverkarow.de/research/drweb.txt
|
|
|
|
|
|
History
|
|
-------
|
|
|
|
13/07/2012 - Informing Dr. Web about vulnerability
|
|
16/07/2012 - Initial response from Dr. Web
|
|
23/07/2012 - Fix successfully tested, sent response to Dr. Web
|
|
30/07/2012 - Advisory release |