IBM Open Admin Tool 2.27 Cross Site Scripting

`“XSS in IBM Open Admin Tool (OAT_2.27_install_windows.exe)”  
  
Product version tested : OAT v2.27  
  
Vendore has been informed : July 27, 2010  
  
They fix the vulnerability on : March 2011  
  
Fixed version: OAT v2.72  
  
Credit : sumit kumar soni ([email protected])  
  
Product Link:   
https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=swg-informixfpd&lang=en_US&S_PKG=dl&cp=UTF-8  
  
  
  
Tested on windows XP  
  
Open Admin tool For IDS Cross Site Scripting Vulnerability  
  
OpenAdmin Tool is a PHP-based Web browser administration tool for managing one   
or more Informix Dynamic Servers. The OpenAdmin Tool for IDS provides the   
ability to monitor and administer multiple database IDS server instances from a   
single location.  
  
There is a XSS vulnerability exist in its index page for parameter named   
informixserver , host & port.  
  
POC:  
  
http://server:8080/openadmin/index.php?act=login&do=dologin&login_admin=Login&groups=1&grouppass=&informixserver=  
  
&host= &port= &username= &userpass= &idsprotocol=onsoctcp&conn_num  
  
  
  
Regards  
  
Sumit Kumar Soni  
  
[email protected]  
http://voidroot.blogspot.com/2011/08/xss-in-ibm-open-admin-tool.html  
`