Ipswitch WhatsUp Professional NmConsole/ToolResults.asp sHostname Variable XSS

2006-05-11T09:02:38
ID OSVDB:25470
Type osvdb
Reporter David Maciejak(david.maciejak@gmail.com)
Modified 2006-05-11T09:02:38

Description

Vulnerability Description

WhatsUp Professional contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'sHostname' variable upon submission to the 'NmConsole/ToolResults.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Technical Description

An attacker must supply valid authentication credentials in order to exploit this vulnerability.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

WhatsUp Professional contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'sHostname' variable upon submission to the 'NmConsole/ToolResults.asp' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

http://[target]:8022/NmConsole/ToolResults.asp?bIsIE=true&nToolType=0&sHostname=%3cscript%3ealert('me')%3c/script%3e&nTimeout=2000&nCount=1&nSize=32&btnPing=Ping

References:

Vendor URL: http://www.ipswitch.com/products/whatsup/professional/premium_vs_standard.asp Secunia Advisory ID:20075 Related OSVDB ID: 25474 Related OSVDB ID: 25477 Related OSVDB ID: 25473 Related OSVDB ID: 25469 Related OSVDB ID: 25471 Related OSVDB ID: 25472 Related OSVDB ID: 25475 Related OSVDB ID: 25476 Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0294.html FrSIRT Advisory: ADV-2006-1787 CVE-2006-2351 Bugtraq ID: 17964