HP Intelligent Management Center 5.1 E0202 Cross Site Scripting

2013-03-04T00:00:00
ID PACKETSTORM:120633
Type packetstorm
Reporter Julien Ahrens
Modified 2013-03-04T00:00:00

Description

                                        
                                            `Inshell Security Advisory  
http://www.inshell.net  
  
  
1. ADVISORY INFORMATION  
-----------------------  
Product: HP Intelligent Management Center  
Vendor URL: www.hp.com  
Type: Cross-Site Scripting [CWE-79]  
Date found: 2012-06-08  
Date published: 2013-03-04  
CVSSv2 Score: CWE-79: 3,5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)  
CVE: -  
  
  
2. CREDITS  
----------  
This vulnerability was discovered and researched by Julien Ahrens from  
Inshell Security.  
  
  
3. VERSIONS AFFECTED  
--------------------  
HP Intelligent Management Center v5.1 E0202, older versions may be  
affected too.  
  
  
4. VULNERABILITY DESCRIPTION  
----------------------------  
An Non-Persistent Cross-Site Scripting vulnerability has been identified  
in HP Intelligent Management Center v5.1 E0202.  
  
Vulnerable module (all parameters):  
+/imc/topo/topoContent.jsf  
  
An attacker could temporarily inject arbitrary code with authenticated  
user interaction into the context of the admin - interface. Successful  
exploitation of the vulnerability allows for example cookie theft,  
session hijacking or client side context manipulation.  
  
  
5. PROOF-OF-CONCEPT (Code / Exploit)  
------------------------------------  
http://localhost:8080/imc/topo/topoContent.jsf?opentopo_symbolid="><img  
src="http://security.inshell.net/img/logo.png"  
onload=alert('XSS');>&opentopo_loader=null&opentopo_level1nodeid=3&topoorientation_parentsymbolid=null&topoorientation_devsymbolid=null&topoorientation_level1nodeid=null&topoorientation_loader=null&checknode=null&ywkeys=isvlan&ywvalues=1&uselefttree=null&usetabpane=null&HandleMode=null&toponamelist=null  
  
For additional screenshots and/or PoCs visit:  
http://security.inshell.net/advisory/32  
  
  
6. SOLUTION  
-----------  
Update to latest version v5.2 E401  
  
  
7. REPORT TIMELINE  
------------------  
2012-06-08: Discovery of the vulnerability  
2012-06-08: Vendor assigns security tracking identifier "SSRT100881"  
2012-06-16: Vendor evaluates the problem report  
2012-06-29: Public disclosure date reached, contacting vendor  
2012-06-29: Vendor responds with "not even close to being ready"  
2012-07-01: Asking for an appropriate timeframe  
2012-07-08: Vendor statement: No timeframe available yet  
2012-08-01: Request for status update  
2012-08-06: Vendor is not able to reproduce the problem  
2012-08-06: Providing additional PoC-Code  
2012-10-04: Vendor provides new build for testing  
2012-10-16: Confirmation that the issue is fixed  
2012-11-09: Request for status update  
2012-11-16: Vendor gives update on release timeframe  
2013-02-19: Vendor releases v5.2 E401 which fixes the problem  
2013-03-04: Coordinated Disclosure  
  
  
8. REFERENCES  
-------------  
http://security.inshell.net/advisory/32  
`