Arbor Networks Peakflow SP 'index/'Cross-Site Scripting Vulnerability

Release date:
Updated on:

Affected Systems:
Arbornetworks Networks Peakflow SP 3.6.1
Unaffected system:
Arbornetworks Networks Peakflow SP 5.6
Arbornetworks Networks Peakflow SP 5.5 patch5
Arbornetworks Networks Peakflow SP 5.1.1 patch 5
Description:
--------------------------------------------------------------------------------
Bugtraq id: 52881
Cve id: CVE-2012-4685

Arbor Networks Peakflow SP is a vital threat management system component in the Peakflow SP solution. It is used in a powerful application intelligent system that integrates multiple services.

Arbor Networks Peakflow SP patch version 5.1.1 before 6, patch version 5.5 before patch 4, and 5.6.0 before patch 1 have the XSS vulnerability in implementation. It is passed to the PATH_INFO in the index, attackers can inject arbitrary Web scripts or HTML files.

<* Source: B. saleh

Link: http://www.securityfocus.com/archive/1/522191
Http://www.securityfocus.com/archive/1/522211
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Https://www.example.com/index/ "onmouseover =" alert (666)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Arbornetworks
-------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:

Www.arbornetworks.com/cn/arbor-peakflow.html